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(54) TiUe: A SECURE PAY-AS-YOU-USE SYSTEM FOR COMPUTER SOFTWARE 



(57) Abstract 

A method of renting software that relies on the reversal of 
encryption processes by the integration of secure processing into 
iht system microprocessor of a user controlled data processing 
system. It consists of protected software objects, that in 
addition to being functionally limited to requires reversal of said 
limitation whithin the system microprocessor, they also have 
closely integrated infomiation about conditions of use. This is 
used to distribute computer software on a large scale that may 
mn on any computer. The user is charged on a unit basis. The 
secure processes described for the system microprocessor will 
have applications in other secure processes. 
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1 TITLE OF INVENTION: 

2 A SECURE PAY-AS-YOU-USE SYSTEM FOR COMPUTER SOFTWARE 

3 

4 TECHNICAL FIELD: 

5 The distribution of software and other information revenibly functionally limUe^i^ usually by encryption, requiring 

6 reversal by a seoire device that rnay also be used to provide software on a pay-as-you-use basis. 
7 

8 BACKGROUND TO THE I^ATNTION AND DESCRIPnON OF THE RELATED ART: 

9 The im^ention describes a method and apparatus that protects software objects. The protected infonnation cannot be 

10 used without the assistance of oaie or multiple secret processing devices. Said secret processing devices povide a 

11 mechanism for reversing the (HOtecticm q^lied to said itifdrmation and said reversing may only be activated by 

12 certain predetennined secure processes. The process (^activaiing said rrver^t^ 

13 said iiiformation and or their agents receive correa payment for usage. 
14 

15 Highspeeddispersalof infcHmaiion between most coxxiputers with access to a modem^^ together with 

16 forthcoming means of storing in excess of ten gigabytes of information on a writable optical disk, is lilcely to lessen 

17 the commercial value of information released in clear code fonnat One clear code copy in the wnmg hands could 

18 result in its effective worldwide dispersal in a short time. 
19 

20 Qae objective of the invention is to provide a means of maintaining security applied to hxfoimation during and after 

21 it perfomis the functions required of it. 
22 

23 The known art describes a means of protecting computer software by requiring the presence of particular devices to 

24 opam properly. These devices are secure to varying extents. The problem with computer netware is that the 

25 protection applied izmst be reversed prior to providing the information to the system CPU far processing. Once 

26 reversed it is accessible to those experienced in the an. 
27 

28 Known art WO 90A3865 describes a process vliereby a secure location rexix>te to a potential user supplies an 

29 encrypted software objea to a user connncdled data processing system and a secure method of decrypting said 

30 encrypted software object The software objea usually contains information that is continually varying. This 

31 provides security by defiault in that it is a waste of time analysing infonnation that is redundant shonly after its 

32 creation. This Imown art does not provide effective security against objects th?'v once downloaded and deciphered, 

33 may be used in perpetuity as is usually the case with computer programs. 
34 

35 Known art described in AU*A-14856/^ relies on software inetho;!s to process the deciphering algorithms used to 

36 revoK functional limitnrions placed on software objects. Said software methods are susceptible to an experienced 

37 person generating usable information fintHn protected software objects reliant on this method. 
38 
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1 The coiTcm invemion may be used to signiftcamly strengthen the security and QexMiiy of the known an described 

2 in WO 9(V13865 and or AU-A-14856/95. Ii may also be used as a significamly more secure and flexible 

3 replaoemem for this known axt. 
4 

5 Other known an calculates (and this may be by the use of information suited by an B«nfiffT<vt computer program) 

6 certaiD values in a secure cnvinnnnenL Said values are passed to an ftgcry ipy ^ computer p rngr a fn and compared 

7 with interoally generated values. These mahods are in effea verifying that said secure environment is present and 

8 has presumably been purchased with the computer program. Said secure envinmment is not providing an essential 

9 functicn absent from said associated compiitwr program, as it is pracdcal to ctrcumveat this protection by 
1 0 disassembly of parts of th e program to examine the other side of the equation . 

11 

12 The known an describes a cryptoproccssor (US patents 4465901. 4419079. 4278837, 416839® that is capable rf 

13 deciphering insiractians and or data in realtime as it is loaded into the central processing unit. Said insiructicos and 

14 or data arc usuaDy stored in enctphered fonnat in external memory. This known an is not suitable for use in a user 

15 controlled data processing system: 

16 • that may variably have me <ff multiple pn)grarns loaded &om a potemiaUy large sdectio^ 

17 may use differem decryption parameters; and or 

18 • where the address occuped by a particular program may be diffenmt on eac^ 

19 an is particularly directed at ensuring that an encrypted program will crash with minor variations to its location 

20 in the address map); and or 

21 • where (Hie cr multiple encrypted programs may need to co-exist with clear code programs in a consiantiy 

22 varying eiivii(Hii»eni; and or 

23 • where it is not usiiaUy practical to pnxect the extenial memory 6omtaniperizig and or aiiaiy^ 

24 • where an interrupt to an encrypted program may direct processing to non-secure methods that may threaten the 

25 secrecy of certain infommtion and this may include that within CPU registers at the time of interrupt; and or 

26 • where an encrypted program needs to temporarily transfer proces sin g to an nnfiBcmg incmifwi; pr 

27 • where an encrypted program needs to protect its stack from analysis; and or 

28 • where an encrypted program exists as multiple modules that are loaded as required and where one or multiple 

29 modules may use (fifferent decryption parameters thai need to be dynamically changed as pr o ^^ T mn execution 

30 flows between thenu and or 

31 • where differem pioyrams in a tnultitasldng envimnmenL that may havg diffiergnt dprrypHrgi p mrnw^r g nwirt tn 

32 be securely switched on a frequent basis. 
33 

34 Hie known an describes the programming of software objects mto a secure miuoc um iolier. This is restricted to a 

35 limited number of predefined fnpcti<Hg. However, the known an does not describe the pioce ssiu g of software objects 

36 witiiin a user controlled data processing system in co nj unction with a secure environment, chat is not practical to 

37 analyse, «toem said secure envinnmient (that may be a inicroprocessof)inchidesi^ 

38 provides for external software objects, that mav be selected and loaded as tegiiired from n iw tpnriflU y largf n«mh w, 

39 to be able to izBDSCemiSfifimg (and or pass any required data) to said inaccessible information withm said secure 
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1 envimnmem, wberein said secure ei ivi nH ii n ffnt unhides rfwrtppffy insauctians and or data (inchiding thar passed) 

2 which may be processed in secret within said secure environment to perfam important functions and or any other 

3 functions thai are absent from said software object and that provides f<ff transfer d processing and or data back \o 

4 said software objea as appropriate; and cr provide data that is absent frcxn an external software objea when 

5 i^propriately requested by said software object Said inaccessiUe information: 

6 • noay be preprogrammed into a starage device; and or 

7 • may be greater than the available storage device within said secure enviromnent; and or 

8 • may be dy nami c all y swsqjped in and out of said secure e u v iiamn em; and or 

9 may be transferred to said secure environmem and deaypted within said environment and processed within said 

10 secure environment; and this q^lies for any of the preceding combinations when said secure enviranmcnt is part of: 

11 • one or multiple system microprocessors, and (7 

12 • one or multiple devices attached directly and or indirectly to the user controlled data processing system, and or 

13 • within devices hnlced via network and or Internet (or equivalemm part or whole). 
14 

15 Hie Imown art does not describe any mahod and apparatus that permits inultiple protected sc^are objects, 

16 inchiding those protected: 

17 • by software encryption/decryption alone* and or 

18 • by secure decryption within a secret environment, and or 

19 • by secure decryption arid secure execution of the ensuiiig decrypted ixifonriation within environment, 

20 that allows said nmltiple protected software objects to OGOCuncntly and or otherwise execute in a multitasking and 

21 or multiuser and or nraitiprocesstn* en vir o nm ent (where said multiprocessors may be tte same and or different). 
22 

23 (>ae objective of the present iiivetxticn is to pnmde a method and i^jparanis: V 

24 • that overconies part or aU of the aforementioned defideiicies in the known art, and 

25 • that may be used to suppon a multiplidty of new methods and aj^iaratus f<s distributing computer software, 

26 and 

27 • that may be used to strengthen a number of weaknesses with the cmreni art. 
28 

29 Theknownandescnl)esanmnberoftnethodsfordistribatiiigsoftware wfaerdjy the^ 

30 Hxese methods include those protected exchisively by software methods. Tbese usually mchide various software 

31 clocks that count down cm a pred eia min ed basis, and inactivate the program at the appn^iriate time. Payment is 

32 usuaUy made for ttetzse of a particular object on the tennspredeternxtx^.Disat^^ 

33 • inherent lack of security; 

34 • tbeunsecurenatureof the protection |»t)cessesniake it urxlikdy that software vendcnw^ 

35 theprocess; 

36 • shouM softnaue vexidors make a large sdection of software available, users wodd 

37 access to the full period predetenxuned for each program, making it umqppealing for users to access a large 

38 tnunber of (fifferem pn^iBxns as required (apart from any tria] periods); 

39 • lack of flexibility; 
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I • QsercamuKself detaranoe theamouzttoftiiner^^ 
2 

3 The security of the process far renting software is improved with known an described in WO 90/13865, ^^xatin 

4 there is a secure device within Che user cozurolied data processing system ^ 

5 objea downloaded from a sendee provider. Details of time used is periodically transferred back to the sovice 

6 provider. Hiis mmhod requires the user to be <m line to receive said software object and to receive the rimmg 

7 parameters pertaining to said software object. The method also requires the user to remain on line for continued 

8 security ci the process and to periofeally upload elapsed time m the service provider. The user wmid nfYmwiiy 

9 billed on a praletennined basis for software usage. 
10 

11 Tte known art does not describe a rneihod and apparams to pnovi<te a secure and secret 

12 recording of usage of more than one isogram at a time in a multitasking and or multiuser and or multiprocessor 

13 environment. 
14 

15 The known an does not describe a secure and secra environment that can be securely preprogrammed with a 

16 predetermined amounted usage, whereby said usage: 

17 • is prepaid and or 

18 • is a credit limii for use that will be billed at a later date; 

19 and 

20 said predeternuned amoum of usage remains available far an extended period of time (preferably surviving loss d 

21 system power) for use as required, with said predetermined amount ci usage appiopi l ately varied according to use of 

22 multiple software objects over said extended time, and or 

23 said predetermined amount of usage tnav be securely updated with aAlitiftnni «ga£p, ri^ht^ « T*^nr^ 
24 

25 The known an does not describe a secure and secret envirtmment that canz 

26 securely record usage of software objects; and or 

27 securely maintain a record of amounts owing to dlfferem veuriors and or flgaima ritffmm snftmn* rHy^i^ ^ nrt «• 

28 provide a report on any basis, including usage, and or 

29 temporarily or permanently disable itself in part or whole should said predetennined amount of usage be "Hiiwt 

30 andor 

31 leinpuiaiily or peiinanentiy disable itself should it foil to receive secure confinnation that reports sent to a service 

32 provider have been received 
33 

34 The known an does noi describe a method and a|^»ranis to permit a large number of software objects to be created 

35 that inclnde infosmation about their particular billing requirements, whereby said software objects are subsequentiy 

36 distributed on a large scale permitting each potential user to use any of the software objects as ftequently as ifaey 

37 require and only pay for use incurred, said use reducing the amount of usage predetermined witiun said secure azxl 

38 secret environmem. There is vo known method and apparams that compensates for variations between information 

39 stored within previously released software objects and that which is current, particularly as it ^lies to billmg 

40 infonnation. 
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1 

2 It is ancKher objective of the invention to provide a method and apparatus to ovooune, in part or ^oIe» the 

3 afoiane n tioned deficiepcies with the known art* and said method and a|)params may also be used for a ntmiber cf 

4 othei described applicaticDS. An important objecdve is the provisioa of a secure, virtually transparent (to the user) 

5 method of reming software for use on a user comrolled data processing system (UCDPSX on a usage basis, that in 

6 osie configuration is mdependem of any ntrachmenr to any devices coupled remotely (eg. teleconmiunications link) to 

7 iheUCDPS. 
8 

9 The method and q^paiatus described to advance the an of protecting and disa^ 

10 adapted in part or ^le to the protection aiiddistributioii of other comnterxnall^ 
11 

12 DEFTNmONS: 
13 

14 Replication or duplication may be one to many copies and may include leplicaticm cf part or v/boit in any 

15 combination and or number. 
16 

17 decrypt(ed) and dedpher(ed) may be used imerchangeably and lefer to revenal of a previously epplied encryption 

18 process. Unless relating to a specific decryption process that is a claim of the im^tion it may be imeqv^ed as 

19 being any known method of decryption* 
20 

21 Decode is generally used in the traditional computer sense c£ decoding addresses etc, however, v/hm the ooDtext 

22 permits it should be mteqveted as for decrypted.. 
23 

24 Clear text (or clear code) is information that is not encrypted and may be derived from encrypted information and 

25 (ff may have been supplied in as clear code. 
26 

27 internal to the System CPU (or System MicroprocessOT) indicates that the hardware and or microcode ami a 

28 software is (m the same integrated circuit substrate; and or that diey are on multiple substrates intei&cing vAuxe 

29 necessary using any ki)own niediod and apparams within the package of the system era 

30 is within the system CPU package and part (or all) external to the System CPU package and attached externally to 

31 the System CPU package using any method and aE^ranttus. 
32 

33 A sjston CPU also referenced as system microprocessor, is cme that a person experieooed in the art would 

34 consider to be suitable as the primary (or one of nmltqile primary) processing units in a User Controlled Data 

35 EYooessing System (UCDPS), 
36 

37 Processing or process refers to the acnial execution of computer instmctions and or the manipulation (in any way) 

38 ofdata associated with tiiecaiiqmteriristructions and or nianipulation (in any 
39 
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1 Software Object: A software objea is ihat which a person ocpcricaced in the an would consider a software objecL 

2 Conqjmcr programs and or subroutines that omstituie pan of a compQier program are considcied software objects. 

3 Data pertainii^ to said oonqmter i^ograms is a software object Moimaiion that is processed by a UCDPS and 

4 aibsequemly displayed as text and or images and or sound for any reason, including as ncnnal output ftom a 

5 computer program and or clecinHiic books (and similar) and or music and or other sound and or visual imagoy and 

6 or video in the fonn of tnodon pictures is a software object 
7 

8 PCTU: Within this application reference to a PCPIJ or Protected (SPD) 

9 einbeddedwitfainihe system microprocessor package of a UCDPS. 
10 

11 ESPD: Reference to an External Secret Processing Device or ESSPD refers to an SPD attach 

12 to any other pan of the UCDPS. 
13 

14 EndofDeftnitions. 
15 

16 DESCRIPTION OF THE DRAWINGS: 

17 Figtirel is a diagram of an apparams suitable for use as a secret processing de^ 

18 imciQprocessor. 

19 Figure 2 is a diagram of basic embodinaem of an SPD f(ff use external to the system mtt^^ 

20 Flgiire 3 is a diagram of the addressing for secure fimctions wi to the system n^ 

21 Figure 4 is a diagram of command pon structure. 
22 

23 DESCRIFnON OF THE INVENTION: 
24 

25 A SECURE FAY-AS-YOU-USE SYSTEM FOR COMPUTER SOFTWARE 

26 1^ invention descnl)es a inethod and apparams for the protection of softwa^ 

27 process for the mass disnibution of software. ITiis is done by fimcticmally limiting a software objea and securdy 

28 linking it with conditions of use and <*jea suppm inforaaation to create a Protected Software Object (or PSO) 

29 wiiich must be used with a Secret Processing Device (or SFD) that is diiecUy ot indnectly mnr bfd to a User 

30 Contrx^ Data Ptooessing System (or UCDPS). This pnjvides a 

3 1 software. The prefened location of the seott processing device is within the package of the system micr op rocessor 

32 of the UserCcHUrolledDaiaProcessing System iwtere thecomhinatioa is referred to as a ftotectedCPU (orPCPU). 

33 Ilie following describes tiiose aspects oonsidezed essentia) to a full ^ 

34 1) a znethod of distributing software objects ftom a pnxlnoer to a potemial user coiiq^ 

35 i) providing a secret processmg device for SPD^ for direct and cr inHhwrt annnhrwfff t to a UCDPS wfacrtby said SPP 

36 is any me or multiple hardware devices that may use any combmaiion <rf software and or microcode and or any 

37 other method to provide a secure and secret environmem for processing inf<raad 

38 that laovides die fdlowing: 

39 9) any one or multiple methods and or apparatus that: 
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1 secmely decrypt and execute mstnicdons and or secmtly decrypt and process data that complies witb pan or all of 

2 the requirements of reversing fimctional limnfltions applied using the Oscar medxxl (described later); and a 

3 reverses the functional limitanons applied using the Onxiver method (described later); and or reverses any other 

4 ftmcdanallinutations^ying to a PSO, and or transfer inm 

5 thai may be necessary to provide any of the functions required by said PSOs; and or access any part of one a 

6 multiple PSOs that may be located external to the SPD in onler to provide any of the functicms required by said 

7 PSOs; and or examine the generic and or distinct conditions of use linked to a particular PSO, and or determine a 

8 response to said conditions of use; and or respond to said conditions of use; 

9 andor 

10 b)may be e mb edded, in part or whole, within the package of the system nncn>processora^ 

11 be within any one or multiple devices attached directly and or indirectly to the system microprocesscn' and or the 

12 UCDPS, and may ikh disrupt the nomal functions of the UCDPS and may in pan or whole be used as pan of an 

13 application that in pan or whole is dependent on connection to a distributed data processing system, that may be of 

14 any type, including local netwoics and or intranet (or similar) and or the Imemet (or similarX and may benefit from 

15 comecdon to one or multiple remote comptuers and or any other devices to simplify transmission of various 

16 ixxfarmadon, however, said secure and secret processing functions, in pan or whole, are functional and or remain 

17 functi<H)a], when said UGDPS that has been provided with said secure and secret processing functions, is used as a 

18 standalone unit independemly d anachment to remote devices, and said UCDPS may be switdied on and off fir 

19 variable periods of time and or moved to differem locations and or reset as fiequently as required, without affecting 

20 the funcdons that are provided to said UCDPS; 

21 andor 

22 c) provides an area of secure memory storage devices that is tiotpracdcai to analyse; 

23 andOT 

24 d) iiovides far partition of secure memory storage devices into one or nmldple secure system partidcHis and one or 

25 nmldple user partitions whereby programs in system partitions may access user partitions, however, a user panidcm 

26 may not access a system partition unless authorised, and or any particular user partition may not access any other 

27 user partition unless authorised; 

28 andor 

29 e) may transfier pst or ail of protected software objects and or any other software object from unsecure to secure 

30 locauons for processing and or transfer infonnation from a secure location loan ui^^ 

31 f) may securely decrypt pan or all of decrypted parts of protected software objects and or any odier encrypted 

32 infonnation within said secure locations; 

33 andor 

34 g) may process pan or aU of one or ntultiple protected software objects in secrecy, inrJuritng pr^HT< f siiig of pan or all 

35 of that infonnation loaded in encrypted format and decrypted; 

36 andor 

37 h) are programs and or data preprogrammed into the device and or transferred in encrypted format and or in dear 

38 code, diat assist and or replace any other known software protection and or distribution systems that are <*qiwi^r 

39 in pan or whole on user accessible software processes and or unsecure identifying codes to provide protection 

40 agamst unantborised use <rf software objects, when pan ot aU of said user accessible software jrocesses and a 
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1 unsccure identtfying codes are OBDsfened (difaer by p repiUHi amm ing and or dynamically as required) to a secure 

2 locadcQ that peimts private processixig of tbeinfannadcHu 

3 andor 

4 0 have tt»c^>acity to detea whether part <FaU<rf said suitably c^ 

5 tampered widu 

6 and on 

7 j) may perform secret encryption and secra decryptim in a manner that cannot be analysed, and this may be a 

8 software and or hardware function; 

9 andor 

10 k) have the capacity to nnplemem in part or whole, one or multiple hardware devices in programmable logic 

11 preferably pn>gramrnable togic dim may be rapidly erased 

12 and or decryption functions in^ilemcmed in pan or whole to hardware, and hardware functions implemented in 

13 proijiuuiuiable logic may be dynamically programmed by one or multiple protected software objects; 

14 andor 

15 Dinay use any metiK)d to determine diadiere is an attempt to gain access to 

16 said attenqji may be physical and <ff logical analysis, and the respmsc may be any action, using any method, 

17 including disabling, temporarUy and or peraancDdy, pan or aU of to 

18 of the secret infomjationthmixsy be stored within secure tncmory storage devices; 

19 andcff 

20 m) may secorcly store information m encrypted and or clear code f onnat m locatiras inaccessible to yti^iiy^wrrisfd 

21 parties and or securely acre mformation in encrypted fomnai in locations thai may be acccssiWe to unauthorised 

22 parties, and may detect tampering with stored information; 

23 andor 

24 n) may have die cqadty to securdymcHtitor die usage of protected software objects; 

25 andor 

26 o)inay securely reconl die usage of said protected software objects and die reccrt 

27 <rf the usage on a producer and or iTOlua and or any other basis, and said re^ 

28 andor 

29 P) may request and <ffconq)d(dii8 may indudcienqxOTrilyrf 

30 BserofdieUCDPSioprovideanynecessaryieponsofusagetDascrvicepn^ 

31 andor 

32 q) may confirm diat said rq)orts have been received as required; 

33 andor 

34 r) does not require modification of die User Coptrplled Data Ptocessing Syaem npmtin ^ 

35 andor 

36 8) niay not require special routines to izuereept calls to said system operatii^systeiix; 

37 andor 

38 t) may identify die type of protected software (^jea and aa as required; 

39 ardor 

40 u) provides OT have access to one OT multiple tampeiproof,ncm-volatile source 

Pages 



SUBSTITUTE SHEET (RULE 26) 



wo 97/25675 



PCT/AU97/00010 



1 andCB- 

2 v) provides or have access to one or nmldple tamperproof tuzxers; 

3 attdor 

4 w) provides oim or Emltiple methods of identify^ (f 

5 an electronic signature; 

6 and or 

7 x) provides one or moltiple secret codes and or pr os uams that are im^^ 

8 across panicalargnmps of SFDs; 

9 andor 

10 y) provides <me or mohiple programs, that may be q ii offl um med (into the SFD) and or transferred (into the SPD) 

11 as required, that use secret information imiqiie to the SFD to decrypts^ 

12 andor 

13 z) may process multiple pcoiected software d)jects tn a multitasking environment, this may be transpaim to the 

14 UCDPS operaong system; 

15 andor 

16 aa) inchide functions, preferably implemented in reprogrammable secure memory, that may be edited and or 

17 modified and deleted and or expanded and or in any other way altered, in a secure manner and usuaDy 

18 u auspaiauly to the user of the UCDPS, enabling appropriately configured PSO(s) to adq)t Ihe secure information in 

19 the SPD for any purpose, including: making muWple SPDs identical in pan at least (inchiding multiple PCPUs m a 

20 multiprocessor system^ and or create one or multq)lc applicatians not currently available to the SPD; and or that 

21 pemnts any cunent application to be dynamically adqxed, including dynamically rep t o giamm ing various hardware 

22 functions in^lcmented in part or whole with rqrogrammaWe logic connections; and or dynamically modifying 

23 decrypdon processes; 

24 andCB* 

25 ab) are programs and or data preprogrammed into the device and or transferred in ezK^ypced f onnat and or in clear 

26 code that assist any function descnbed for the corrca processing of protected software objects; 

27 andcr 

28 ac) includ e secure memoiy that stores various intemal system routines and may be loaded with exteniaUy supplied 

29 objects for decrypdon and or execution and or any other purpose; 

30 andor 

31 ad) may decide to reverse one or innltiplefimctionallimitadons on one or mu^ 

32 use, wtim said decide is m pan at least autonamoas lo the SPD and based in pan at kssu on secure processmg 

33 mternalandorcxtenialtothcSPDof generic information appUcable to mumplePSOs, to 

34 of any information states within and or external to the SPD, inchidmg one or mult^e electrooic oedits that is 

35 niodificd(dniecdy or indirectly) fai response to use of PSOs on tizne and or evcmsuse^ 

36 long as the rBqairementstrf one or multiple PSOs and or SPDs are conqjli^ 

37 abletoexecoteand<7processoneormultipiePSOs(mtbe8amebasisasif they were uz^te^ 
38 

39 ii) providing a software object; 
40 
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1 iii) modifying pan or all of said software object sach tbat it is functionally liniiied to nm on only a UCDPS fittn< 

2 with a SPD and equivalent and tbe functional limitatian is by tbe Oscar method as defined below and or by the 

3 Groover method as defined below and or by any other method and said functional limitation may be of one or 

4 multiple f s , SHitial pans of the software object, preferably such that it is not practical to regenerate the original 

5 software cbjea from any parts that are not functionaily limi r^ ^ and said noodifying is preferably done at a secure 

6 location (also lefereoced as a service provider) that has access to pan or all of secret informaiion comained within 

7 the SFD andfor any particular functionally limited software (*ject the functional limitaticQ may mly be revereed m 

8 a specific SPD with any unique characteristics necessary to reverse the functional limitation* or the functiona] 

9 liniitaiioninay be reversed on a plurahty of SPDs characterised by CQimnoncharaww^ 
10 fuxictionai limitation; anrt or 

11 

12 niodifying part or aU of said software object, using aay method, such that it is sec^ 

13 any method, to one or multiple condiacHis of use, also referenced as PCPU Indnsim CammgnAg (nr ptP), thtk^ m 

14 pan or whole are tamperproof and that include any code that directly or indirectly irtmrffipg the pnxhiccr of the 

15 software object and or identifies the scrftwareobjea such thmvto an SFD 

16 record use of that panicular software obiea and or use of PSQs by a partkmiar jwnrt»c*T and at on any other 

17 basis, in pan or whole, wtoe the record of use in pan or whole is used mdetetroiningremaneratiTO 

1 8 and or any other parties; and or the conditions of use include any code that contains mf ormation which may be used 

19 by the SPD to determine if the software object: 
20 

21 is pennitted to execute in pan cv whole on a units of time used basis, and if pennitted, what fee should be ^iplied 

22 fortheuseofthestrfiwareobjeaandsaidfiMmay bcanyuniiof nieasurenMmaralis^^ 

23 use basis and said generic units may be attributed any real currency value at any stage; 

24 andor 

25 is pennitted to execute in pan or whole on an events occurring basis, for cxanqrte the number of times one or 

26 multiple parts of the program are loaded and or executed and or any other meajairahie gvmtg hngiq, prrminffl, 

27 what fee should be applied for the use of the software objea and said fee may be any unit of measurement and is 

28 prefexably a generic units of use basis and said generic miitsnuty be attributed any ^ 

29 andor 

30 is pennined to execute on an unlimited basis subjea to a fee, and if permitted, what fee sh^ 

31 of die software objea and said fee may be any unit of measurement and is preferably a generic unite nf ii<p hade 

32 said generic units may be attributed any real currency value at any stage; 

33 andor 

34 ispermittedtoexecuteooany type of limited basis subjea to a fee, and if permitted, what fe^ 

35 the use of tbe software otojco and said fee may be any unit of measuremem and is preferably a geiwic units of use 

36 basis and said generic units may be attributed any real currency vahie at any stage; 

37 andor 

38 reqiiircscntryof one or nmMple data toys of any type prior to initiate 

39 the first and or any other dme on a panicular SFD and may include whether or not a fee is to be charged for 

40 providing the data key; 
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1 flnri or 

2 lequires any other Testricdcms to be placed on Tise; 

3 and 

4 any software object modified in pan or whok as described is lefer^ 

5 said Oscar method* is any functional limitation of pan or all of a software objea by any method of eocryptioQ, 

6 usually at a secuxe location remote to the user, what pan oi all of the reversal of the encrypted infonnatian, by 

7 decryption and cs any other method, occurs widiin a secure environment directly and or indirectly att ached to a 

8 UCDPS such that pan or all of the instructions and or data of the software object leccostitDied by said reversal are 

9 not accessible to analysis by any unauthorised party and the execution of pan or all of said instructicns and the 

10 processing (using any method) of pan or all of said data that is not accessible to analysis by an tmauthorised pany 

1 1 remains in pan or ^ole inaccessible to analysis by any unauthorised party. The result is that part at least of the 

12 functional limitation placed on a software object is not cAmp rnwnijiff ^ process of using said software object; 

13 said Groover method is any functional limitation of pan or all of a software objea by deletion of pan or all of the 

14 information within the software object, usually at a secure location remote to die usa, where pan or all of the 

15 reversal of the deletion, by any method, occurs within a secure environmem directly and or indirectly ATT ftc^fd to a 

16 UCDPS such that pan or aU of the instructions and or data of the software objea reconstimted by s^ 

17 not accessible to analysis by any unauthorised party and the execution of pan or all of said instructions and or the 

18 processing (using any method) of pan or all of said data that is not accessible to analyas by an unauthorised party 

19 remakts in pan or i^ole inaccessible to analysis by any unaudiorised party. The result is that pan at least of the 

20 functional limitation placed cbi a software objea is not c omp r om ised by the process of using said software object; 
21 

22 iv) providing one or multiple PSOs onto conqsuter-accessible memoiy media axKi or any suitable ai^iaratus for 

23 dectrcHiically transfening said PSOs to a potential user, and preferably the conditions of use attached to said one cr 

24 nmltiple PSOs permit said PSOs to be used on a time or events used basis in a UCDPS suitably equipped with a 

25 SPD dm has sufRdemaforenieiuioned units of measuremem stored within and or sec^ 
26 

27 v) shipping said one or multiple PSOs on computer-accessible memory wiprfin to a potential user and or 

28 electronicaUy transfening said one or multiple PSOs; 
29 

30 vi) loadnig said one or multiple PSOs into a UCDPS and excairing as permitted hy pnmrtit f ryn g wsr. 
31 

32 vii)wheierequiredby the conditions of use or any other reason, a means for the user to: 

33 • request die supply of one or multiple units of measurement that may be required by the SPD for any purpose, 

34 and or 

35 • receive one or multiple said uxuts of measurement, prtfembly in suitably encrypted format, ^hat may use any 

36 method, and transfer said units of measureniemiiito the SPD, and or aoxssible to 

37 • request the sni^y of one or nmltiple data keys that may be required by die S^ 

38 • receive one or multiple data keys and transfer said data keys hito the SPD. aiul or an 

39 any mgthnri^ and or 
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1 • gcnaate one or multiple repons of software usage and or any oibcr inf onnation that may be nquixecU and 

2 sui^y said iqxiris CO service pnivkler and or any othff extern^ 

3 • receive one or multiple codes confmmng tbai said report has been received and supply said cme ot multiple 

4 codes confirmmg into \ht SPD and or accessible to ita SFD, and or 

5 • request the service provider and or any other authorised party for ooe or multiple codes that may be used to 

6 reactivate pan all of the SPD that may have been disabled for any reason 

7 • ra»ve one or nmltiplc codes to reactivate part or aU(rf the SPD ttiai may have 

8 transfiBr said codes into the SFD, and Qt accessible to the SFD and 

9 for any of die prcccdmg, the information generated by die UCDPS and w received frmn the scnocc provider is 

10 preferably transferred electnmically, however, any <»her combination <tf methods may be used mcinrting mftiiing ^ 

1 1 computer-accessible meoujry media containing the inf omiation. 
12 

13 

14 PREFERRED IMnXMENTATION OF THE IN\^ 

15 To assist witii understanding die invention, rcfierencewiU now be nx^ 

16 one example of tije mvention. In tite drawings, Figure I shows an apparatus that is suitable fw use as a secret 

17 processii^ttevice embedded witiun the system microprocessor. 
IS 

19 Tlnoughout tins descrqjtion and djeaccraqanying drawings 

20 an idaitifyirigsymbd. Tills may rqjiescm any number of sign^ 

21 dock, clear and set a fUp flop, however, usuaUy only one signal line win 

22 of various buses, die Imesreprcsem whatever rmmbcr of signals constitute said to 

23 rdevam for die togic functions it may be cmermg or leaving. Many control lines are not described or shown in dus 

24 dcscripaon as it will be obvious to anyone cacpcrienccd in die art, where, ^rbsxi, and how, dicy should be used m 

25 order to make functional any ^yparams described; descr^itions are detailed when needed to help clarify die 

26 im p i emmrari on of any particular function. Throughout this descripticm, die polarity of agnals is usually tmmflrmAl 

27 and not discussed unless of specific consequence; it wiU be whatever is required in a practical inqtenemationrf die 

28 mvention. When a latch or odier device is set <ff cleared die alierim 

29 register is a commonly used storage device in pans of dtis descripticm, it may b^ 

30 combinatian of logic and or software and or microcode Oiat results 

31 The invention describes: 

32 1 . a mediod of reverribly fi mciinnan y limiting a software object diat requires a secret processing device (or SFD) to 

33 reverse part or all of die functions of die reversible fimctional limitations and preferably mri^ry^ff a n»hod (tf 

34 securdy linking die conditions of use dial api^y to a particular reverriblyfT^^ 

35 reversibly functimutlly limited software dbjea such diat dtis infcmnation may be used in part or whole to 

36 whedier to pcnnit die SPD to reverse die revenibly fimctionany limited software 

37 preferably an integral part of die reversibly functionally Ihnited software objea and or stqiplied as one or nmlixple 

38 «her modules diat are Unked in a manner dot prevents die nnandiorised separatica of condititBxs of use and 

39 reversibly functionally limited sofbrare objecL This produces a procected software object (or PSO) w*ich may be 

40 distributed to a potential user and loaded onto a UCDPS and includes instnictions to die SFD on how it may be 
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1 distributed to a potential user and loaded onto a UCDPS and includes instnictions to the SFD on how it may be 

2 used. This penniis objects to be widely distributed and used ai stand alone UODPSs conditiaial m the SPD that is 

3 required to reverse, in pan at least, the reversible functianal limitations, complying with the wwftitiftn^ of use. The 

4 condidons of use may also be suppUed in any other way. e.g. as sqarate modnl« 

5 linked,intoanSPDiran&paietidy to the operating system of the UCDPS or by usm 
6 

1 When a PSO is securely linked with conditions of use it may be used on a UCDPS equipped with an SPD without 

8 any extra imerventicm by the user than would noraially be required for the {Hotected objea in its native software 

9 object fonn, with the exception of any requirements that the SPD requires of the user. 
10 

11 2. an apparams referenced as an SPD that has various secure system functions that allow it to interact conecdy with 

12 one or multiple reversiblyftUKtionaUylinMied software obj^ 

13 includes an internal secure and secret operating system lefcued to as secure sy^em functions. They interact in any 

14 way required to appropriately reverse in part ot whole, reversibly fimctionaUy limited software (Ejects. The secure 

15 functions of the SPD may have other applicaticms. 
16 

17 The prefened embodiment of an SPD is inchided within the package of the system microprocessor, such a 

18 conibinatioanMyberefcrTedtoasaprotectedCPU(orPCPU).AnSPDnnaybediie^ 

19 the UCDPS cxtenial to the package of the system microprocesson this is referenced as an ESPD. A PCPU may 

20 include multiple system microprocessors. Itee may be multiple PCPUs within a UCDPS. Hicre may be multiple 

21 ESPDs within a UCDPS. Multiple SPDs in any location may interaa in any way and combination with any others 

22 or not at all. The embndinrent of a system miaoprocessor to intftonent the apparams of the invention is 

23 predominamly dependent on the use of secure nmncay storage devices of various types and an ability to securdy 

24 process infonnation within these devices and a person experienced in die art wiU be able to arrange logic, software 

25 and microcode in many combinations to efifea versiots of an SPD and PSO that are within the spirit of die 

26 inveruioiL This arrangemem penniis the secure functions required <rf the present invention to be implemented. A 

27 person knowledgable in the an will qjpreciate that the secure processes used for the invention may have nnilt^le 

28 other secure plications. The known art does not describe a system nricroprocessor suitable for use in a UCDPS 

29 that provides the secure processing functions described in this embodiment The invention allows for any system 

30 nucrofHOcessor dm provides the aj^sarams and or finuniomdes^ 
31 

32 Figure 1 shows a block diagram of a system microprocessor that may communicatB with a secure micrqxrocesscB' 

33 that is securely linked to one or multiple secure funcriArw, inrhiHitig Mcmg mmtwy p^rnrr Tfalty^p rlnrV imA ftrhfT 

34 secure functions. When the secure memory is programmed with jqipropriaie information, the combination tf 

35 software routines and embedded hardware functions and changes to the miaocode of the system nticrofvocessor 

36 provkles all of the requirements of an SFD securely embedded widun the system nucroprocesscv package. This 

37 device may be used to rqdace die existing system microprocessffl- in a UCDPS a^ 

38 any infonnation required to meet die c on di tion s ctf use attached to a PSO, may execute diat PSO as if it were a 

39 nonnalstftware object It will be appreciated by those experienced in the an that thm m mmy wny^ ^fifYmhmiTi£ 

40 logic, software and miciocode to inxpleniem die device as described. 
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2 Figure 1 sbows the siUcon chip 130 of the system microprocessor 1. Hie system microprocessor 1 nonnaUy 

3 imerfaces with extanal locaticms via an address bus 5 and address buffers 2 and data hug it imri rtftt^i mffm ^ and 

4 variousccnimllogic7viabuffeni4. Buffcrs2,3and4areenaWed/disa^ 

5 microprocessor 1 via comrd line 9. Instroctioas are interpreted and implftmented by a combinaiion of microcode 

6 and logical devices widiin the tastmctioD execution block 8, located within system mt crop rocessor 1. The apparatus 

7 of the im^caation needs to c om r mmi ca t e with the system nricroprocessor l and this k mmt Tt^\ \ y im p iymfntffl with 

8 dual port tnemsxy 19, a memtsy that aUows read and write accesses by two devices to the same addresses on an 

9 asynchronous basis. Ttoe are many ways of adiicving an equivalent result As described in ttiis wnhnrftmwit tite 

10 DP memory 19 is not intended to store secure information; it is ftmciic^^ 

11 processes and it is not practical for an unauthorised person to access secure mfon^ 

12 Tlie invcmian allows for the recording erf failed attempts at access and may disable itsdf to prevent T^)eaied 

13 atten^ to compromise secure elemems. 
14 

15 The system microprocessor side of the DP memOTy 90 inay be decoded into the norm^ 

16 using any known decoding qjparams, however, the preferred method is to make the addresses occupied by the 90 

17 side ofthe dual port memory 19 a separate address space to the UCDPS.Tto 

18 referenced as a tiansparem address activator wTAA.^ 

19 functions. 
20 

21 Hie primary interaction of the system tmcroproccssor 1 to dual pen manoy 19 will be to read and write data 

22 between UCDPS addresses and dual port memory 19 far transfer into secure functions 50 by die secure 

23 microprocessOT 20 and the reverse. There may also be a requirement to transfer data fixm one location to ano^ 

24 within the dual pontneooory 19. Tbe address space occupied by the dual ^ 

25 Reset of the system microprocessor I initialises nonnal address decoding, with the dual pon memory 19 

26 inaccessible by die system microprocessorl. 
27 

28 Thecxecutic»ofaTAAinsiniction,wiihforexanqrtcXasiheopcode,andtiiecombi^ 

29 canied out if the system microprocessor I wants to move information tan UCDPS memory to dual pwt memory 

30 19, in which case buffers 2. 3, 4 would be activated by 9 fa reads tan aity address i^ 

31 a write operation die address decoder enable signal 11 is active, enabling the address decoder 10 to decode a 

32 predetermined address block (that may be made programmable) of dual pan memory 19 using chip selea 13. that 

33 also keq» the buffers 2, 3, 4 disabled by blocking any enabling cffea of 9 via logic gate 14. Data is read tan 

34 UCDPS memory space and written to dual port memory 1 9 . Instruction T AA Y perf tinwt the tbwto \ty acrivat^g 1 1 

35 during read operations. Instruction TAAZ activates 11 for reading and writing. TAAB disables II for all reading 

36 and writing, the normal simation. Ha TAA instruction only affects oper atious that are fetching Hntn, not 

37 instructions, and most system nucroprooesscHs have a signal to distinguish between the two. An instruction 

38 refoenoed as die TBAX insuruction may be used to activate instruction fetches tan dual port memory 19, by 

39 activating 11 during imtruction fetches and may be disabled by die TBAY mstruction. Instructions are read 

40 operations. TAA and TBA instnictims may be used in any combination. A reset has tte same effect as TAAB & 
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1 TB A ensuring nonnal processing on startup. While TB AX is active, instruction fetches from addresses outside the 

2 dual port zoemary 19 are tarn UCDPS memory. A watdidog counter or timer may be set, and this may be m^tftmfltir. 

3 to perfcmi an automatic TB A Y instruction or any other method to avoid tnqrping the system nncroprocessor in dual 

4 port memory 19. 
5 

6 Ibis method and apparatus provides a novd transparent m^hod of tnrJttrting ooe or multiple devices within a 

7 system microprocessor without potentially conflicting with existing resources in a UCDPS and has multiple 

8 qjplicatiQQS to die art of system microprocessor desigiL To avoid problems with intemqns directing processing to 

9 another routine that expects a normal environment, xnternq^ts are inhibited by TAA and TBA instruction. An 

10 alternative allows for amilar instructions that do not inhibit interrupts, allowing the imemipt handler and (ff task 

1 1 switcher to handle the situation, in ^ch case the TAA and TAB instructions are disabled by an intenupt and a 

12 record of their stams is stored in a location, eg. a special register, accessible by the system 
13 

14 Secure processing is provided by inchiding a second microprocessor 20 within 130 thai may read and write to 

15 addresses within the secure address map 50 without being available to external analysis. Secure address block 50 is 

16 predominantly memory, divided iruo a small amoum of mask ROM 51 to initially program the other information 

17 into the device, flash memory 52 for stiHagc of information that needs to remain in the device in the event of total 

18 power loss, and battery backed static memory 53, that stores important information wtith may be r^dly erased in 

19 the evem of tampering. The microprocessor 20 oonmntnicates with the secure memory 50 via address lines 84, data 

20 lines 100, and other various control lines including read write 93. Also decoded within 

21 a battery backed realdme clodc and or calendar 89 that cannot be tampered with and a crystal. A data cocryptxm 

22 standard engine is preferably inchided. Decoding of secure addresses is provided by decode logic 25 and the various 

23 chip select signal are output en 83 to the various secure devices. Tbe power management logic 65 receives external 

24 power on 60 and battery power on 87 bom (preferably rechargeable) battery 70. An A/D convener 75 rtumitors 

25 voltage. Co n ti n uous power is siq)plied to 50 via 87. Power matiagement 65 may also be used for any additional 

26 voltages to flash memory 52, other battery backed logic and provides recharging power to the mtmnl battery 70. 

27 Tbe microprocesor 20 communicates with the system microprocessor 1 via a dual port memory 19. Ihe 

28 microprocessor 20 sde 91 of dual ponmanory 19 is decoded by 25 via 40.1^ lines ^ 

29 write 23 connect with 19 to allow reads and writes of infonmation between microprocessor 20 and dual port memcay 

30 19. A similar method allows the system microprocessor to ^wmrmnirpm with dual pm memory via chip select 13 

31 from its decode logic 10 and addressing 14 and data 6. The decode circuit 10 uses high onier address lines 12 and 

32 control lines 32 (e.g.valid address) and 11 (activated by TAA, TBA). This provides a method of transferring 

33 information to and from extennal locaticass to dual port memoiy 19 that may be read and written by microprocessor 

34 20. No user sq)plied program can access the information in secure memory without access to the secret codes 

35 required, and these may be iriade as comidex as secure rnemory resources allow. 
36 

37 It is preferable that the secure microprocessor mdndes a direct memory access (DMA) facility to noove bkxto of 

38 information from UCDPS memory directly into secure memory locations and or from secure rmnoiy to external 

39 locations. This may actually improve the efBdeocy {ji the original system micrqirocessor, permitting it to perform 

40 other tasks v/bUt a block of informadcHi is securely processed in internal memory. Access to this DMA facility 
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1 should be decoded imo the secure finKa^ 

2 origmatxng within secure sya^ 

3 program executing in a user partition having unsupervised access to the DMA anmoUer 125 thai may be 

4 progrannned to move a large block of system infmrnation to extern^ 
5 

6 T^microprDcessOT 20 would usuaDy program the DMA cont^ 

7 read/write 102, using a routine known to have originated within one ot multiple pccdetennined systan functions. 

8 Tlie details (rfinchuUng a DMA conmiUer 125 are not described or shown. 

9 address 5, data 6 and courol lines 7 of the system nriooiTOcessor 1, with similar signals generated by die DMA 

10 connoUcr 125 to read or write cxlcnial locations and multiplcmg of the address, data, and ccmirol lines of 

11 micropnxMSSor 20 to read and write secure addresses. These m^^ 

12 comroUer is within the system miaofHoressOTdri^^ 

1 3 comroller 125 would be easier to implement at a logical level than for external DMA comiollers. TOs type of DMA 

14 is o:an^xarent to external devices. 
15 

16 TTic invention also aUows that the microprocessor 20 may be a di^>hcate of tte 

17 very powerful processing system, allowing secure and unsecure execution to proceed concurrently. Another 

18 attractive c^n is to use two differem system nncropr^^ 

19 CPU. These may be multiplexed by one experienced in the art such that one syst^ 

20 syaem fractions ^e the other provides secret prwcssing of vario^ 

2 1 activated in any way, eg. hold reset low, may switth the roles. The secure functions may be diq)Ucatcd, in part or 

22 ^le, or each nmy have its own secure fimctions that are inactivated 

23 unsecure processor. A switch from secure prooessing to unsecure processing preferably er«iiT« thjit pny pmwiriflny 

24 secret mfmmation is flusted firom CPU registers and any other locations that may become accessible to external 

25 analysis in the unsecure state. Afl secure functions would usuaUy be inaccessible to die system micn^xrocessor in 

26 unsecure mode. A person knowledgable in die art should be able to design such m emhn^imwit That pffrforms to thf 

27 requirexnentscrf the invention, litis provklcs a oonveniera means of prow 

28 hu^graring two differem UCDPSs into one. Of course this scenario ndght be expanded tt> any number erf system 

29 mix^ ^ wcssors within die one package. When multiple system nucropr oce ssoro are included in die one p^cage, 

30 the one dial is ncHinaUy associated widi die residem operating system and pcrip^ 

31 referenced in this igjplication as the Itost CPU. Any other system microprocessors are lefeinxxd as a Grafted CPU. 

32 NochangcswowWusuaUy be required to any software to operate die Hba 

33 reqttired to sirmilate die coneaenvironmem for a Grafted CPU a^ 

34 address OBpf<ff die grafted system nncroprocessOT that detects aU accesses to res^ 
35 

36 It wiU be aRjredaied by diosc experienced in die art diat die embodim 

37 be readily transferred to a location external to die system microprocessor by providing a secure package and 

38 replacing die transparem address space of die version widtin die PCPU widi an qjpropriate address widdn die 

39 UCDPS address q»ce. 
40 
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1 A basic cnhoctimem of an SFD for use external to the system nri uupioc cssOT is described with reficxcnce to Figure 2 

2 of the drawings sfaowizig a primed circuit boaid 700 that is capable of con^ 

3 bus eKpaosicm of a UCDPS 720 via the gold fingers 701 on the printed drcuit board 700. Mourned onto PCB 700 

4 are an address decoder 702 to receive address signals from the address bus cxf tte UCDPS 721 and various control 

5 lines 722 that it uses to decode the UCDPS side of the dual pmmetncxy 704 to a sd 

6 address map of the UCDPS using chip selea line 712. The lower order address lines 723 of the UCDPS together 

7 with UCDPS data bus signals 724 and a readAmte signal 725 pass from die UCDPS bus via hiffer 703 to the 

8 UCDPS side of the dual port memory 704 via signal lines 713.T1k part of 703 that buffers tl» data lines is 

9 bidirectional. A microprocessor 707 includes two intermix lines 730 and 731 and an external address bus 714 and 

10 a valid address signal 733 and a bidirectional data bus 715 and a readAmte line 732 and mtemal progrannnable 

11 non-volatile memory 708 (e.g. flash memory) and a boot rootme 735 to load nxfEsmation into non-volatile memory 

12 708. A static RAM chip 709 is connected to microprooes s u f 707 low onter address Unea nf flAfagM hns 7id mii 

13 data bus 715 and read/write line 732. Static RAM 709 is activated by chip select 740 diat is created by die address 

14 decoder 705 decodiiig the high onter address lines on address bus 7 14 in conjunction^ address signal 733. 

15 When static RAM 709 is selected the microprooesOT 707 may read and write date to and tam The 

16 microprocesor 707 side of the dual pon inemcry 704 is attached directly to the 707 data bus 71S.and readAvrite line 

17 732 and low order address lines of address bus 714. The miaoprocesscff 707 ^ of the dual port memory is 

18 activated for read and write operati(ms by cMpsdea 750 genaated by address decoder 705, fi^ 

19 lines on the address bus 714 and die valid address signal 733. A rechargeable baoeiy 710 is included provicfing 

20 backup power via 711 to the microprooesscff 707 and the static rnemory 709. When the the boa^ 

21 an active UCDPS. the battery 710 is recharged from the system power supply. Microswit^ 

22 line 730 causing an interrupt ^len the tampeiproof endosore 716 is disrupted. The tampcrproof housing 716 

23 securely encloses 710, 707, 709, 70S, 704, 712, and all signal lines that may provide useful information, btermpt 

24 line 731 causes an intenupc to 707 when die address decoder 702 decodes any address within the d^ 

25 in ri icaTTn g that the external system tnicioprocessor is accessing the device and that action may be required by 

26 microprocessor 707. The miooprocessor 707 is noxmally in low power sleep mode. If awakened by iruerrupt 730 it 

27 immediately sequentially erases die values stored within SRAM 709 using a routine preprogrammed into 707 prior 

28 to enclosure in 716. If awakened by 732 it fl»ntfmipy processing as required. Ihe SFD as described may be 

29 integrated into asingle dup. A perscm experienced hi die art would be able to ad£q}t this design to ott ^fh the SPD to 

30 any suitable non-bus interface. A suitable location may be the parallel pon on a shared basis with the printer; die 

31 known art for other types of software proteciioa devices describes such a shared "i Tff fn re The inclusion of a 

32 cryptoengme inqilemeiited in hardware would enhance decryption processes diat are fundamental to the secure and 

33 versatile functions provided by an SPD. 
34 

35 Hgure 3 shows a block diagram of the address map for secure functions within the system micrqprooessor 

36 packaged 130 of Figure 1. These secure functitais may only be addressed by die secure tniaop iu c es sg 20 and 

37 may not be accessed by ottemal progcams odier than said external p r ogram s providmg information that is tisually 

38 subject to validity checks and decryption before acceptance by die secure tmeroprocessur 20 f (g further processing. 

39 Theaddressdecoder25decode8abatterybackedrealtixnedo(±calendar89 with diipsdea 140. D^ 

40 125 with chip selea 142, Data Encryption Standard Engine 135 widi chip selea 143, and if the DES oigine is 
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1 oonsiracted in pari or ^Ic frcan programmable logic devices (pcferably SRAM, thai may be baaeiy bxked if 

2 norwlatiliiy is required) thai arc dyi^ 

3 141, tamper detea 80 (preferably including a oMinually powered simple microcoomiller to provide cominuous 

4 security mOTiiioring) selected by 144. A/D ccmvener 75 by select line US, pft»i»r mmrngprnfriy fry 

5 preceding devices would usuaUy have fixed locations in to 

6 the chip selects 140.141,142,143.144,145,146, and any other additional selea lines thai may be xncfaided to access 

7 other secure devices, m^ only be selected if the instruction thmoutimu 

8 chip selects originaies&om within a memory location in the seem 

9 this area from non-system (user) programs -usuaUy user application prog 

10 first address of an instruction and compare ii with an address Wocki^ 

11 manory 147. This address block is preferably programmable to aUowtte 

12 however, there will be a known default m reset of the secure nucroprocessor 20. As an added precaution it is 

13 preferable to latch the first address of the preceding instruction and do a similar comparison. TOs requires any 

14 instruction thai attempts access to secure functions in this part of the ariditss map to have originated in secure 

15 system memory and the instruction prior toil must also have origin 

16 a program ihainwy be executing within a secure user partiiian&omacdde 

17 counter of the secure miooiffocessor 20 with a value pointing to a secure 

18 address of the first insmicrion may be determined by inchiding in the microcode of secure rmcroproccssor 20 the 

19 genaation of a signal to indicate that U is the first address of the instruction (this may already be the case). The 

20 program coumcr comenis may also be latched. Ch^) 

21 allocated lo secure system functions. When the secure micrpprocessar 20 is reset it jumps m an miriyiift^ipon nrnttrf 

22 in this memory. The size <rf this memory is preferably variable to acoHnmodatc changing circumstances. This is 

23 «suaUyd(me by programmable boundary registers 16a thai are sdectcd 

24 fixed at the top of the available address space. TlieprogramnKdvahie of 160 is sup^ 

25 provkled to its address comparators. Tlicse methods arc weU known to the art. Chip select 161 preferably requires 

26 the same precautions as rcganls checking the origin of tile instniction as described 142, etc Chip selea 147 

27 decodes the secure system memory. This i»cferably has tiie same requirements for two sequential instructions to 

28 Iwe originated in secure system mcmoiy addresses in Oder to be decoded. A^ 

29 reset the latches that store the addresses of the two relcvam instruction ttkte 

30 system memory. Tbis enables the secure microprocessor 20 to read mfran^ 

31 provklcs a mctiiod for a user njutine to transfer processing back to system 

32 function m^ write to an addressable location dial generates a user interrupt 180; the system functions may tiien 

33 interatt in any predetemuned manner to meet die requirements of die user function. The balance of the secure 

34 rncmoiy is allocated to various user fimctiom. In a multitaskmgUCDre^ 

35 user partitions. Tlic preferred mediod is to have one or multiple sets of address boundary re^^ 

36 be pn)grammed by secure system functions decoding selea 171, widj the 

37 to the decode togic 25 to define die current user partition, dial is decoded widi chip selea 148. Tliis permits die 

38 availd>le user partitions to be divided ma totaUy flexible basis as required. 

39 user partition to another, die secure system functions rcprogram the a|;^)Topriate vahies. When p mrj^ocing is 

40 transferred to a user partition no addresses arc decoded outside dtis partition to prevent a user function 
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1 cumpiauusing tbe system partition or another user partition. If the program counter is loaded with a vahie pomiing 

2 to an address otiiside the user partidon, it will not be decoded and the iiser fin^ In case of a 

3 cnghwidiinaoeof the user partition a watchdog tinier 190 may imeinipt 191 the secure micfo p :u;cai m 20 after a 

4 predetennined period. Tliis is preferably a programmable period that may also be used to task switch secure 

5 iffocesses in a nrnltitaslrin g envirooment. Prior to transfening processing to the user partidon, the secure 

6 microprocessor 20 registers are preferably stacked and cleared of sensitive infonnation and or the registers are 

7 duplicated The dual port memory is decoded by chip sdea 150. The secure niiCT 

8 least one imenupt 195 to the system mioDprocessor that directs the system nrio Dpr occ s sor to an internyt roudne in 

9 dual pon memory and cr any suitable location. This location is pnfierably read only to the system microprocessor 

10 and may be read and written by the secure microprocessffl' 20. This imcmipt may bypass any normal imenupts 

11 generated by the UCDPS to the system microproce s sor and be processed transparemly to the operating syston. See 

12 known art US Patent 5274834. It may be used for any reason in particular to direa the system microprocessor to 

13 perform various functions withm the UCDPS transparently to the UCDPS operating system. An interrupt may also 

14 be generated by the system miCToprocessor to the secure microprocessor 20. imenupts to the secure micn^Hocessor 

15 20 are preferably specific to a particular source with snfQcient iruermpt lines to handle all intermpting devices. 
16 

17 Withm the secure system memory is an area of masked ROM 51 that is usually a fixed amount, usually a fixed 

18 amount of flash memory 52 for storing information that survives total loss of power, and usually a variable amount 

19 (tf battery backed static mensory 53 that securely stores secret system programs and data. This information may be 

20 lost in pan OT whole, due to accidental reasons, e.g. a flat battery (preferably rechargeable), w by activation of one a 

21 multiple tamper detea systems and or failure to comply with the conditions attached to using the Sro and or atxy 

22 otherreason.Systemn)eaxory and user niemory 54 is described later. Pan at least of 53 a^ 

23 by dynamic memcsy to provide greater memory density. This may particularly Bpply to secure system functions 

24 loaded from external sources as required, and user functions loaded as pan d a PSO executing and cr any oQxs 

25 extenaltnfcHmatioa transferred as required. 
26 

27 Secure System Functions! 

28 Hie system memoiy of an SPD must be prqsogrammed with centdn key p r ogr a m s and rfflu* prior to shipping to a 

29 user (usually as pan of a UCDPS). This should be done in a secure envinrnmem, using secure methods, and is 

30 preferably conqrieted during the mmnrfft c tuT ing process. The service provider keeps a record of pan at least of the 

31 infonnatiGa within each SPD. Qace this key infonnation is pugiatm ned into die system memory, any other types cf 

32 programs and or data may be suitably encrypted by the service provider and transferred to a user's SPD (usually 

33 «Me within their UCDPS) using methods thai w«»»rf^tn the security d the infonnation. The siitably encrypted 

34 information is programmed into Uie system and or user memory of the SPD on a tempoaay or i^gmrniwit basis, and 

35 in many cases this will be a tranqsarent, dynamic process that occurs during the execution of various coaqnuer 

36 prognmis, pflTTicularly PSOs. Tlus mediod aUows alnao^ ariy Qpe of additional fimctions to be securely loaded ^ 

37 stcHed within the system memory, and cr allows various programs to be loaded to update and cr modify existing 

38 system functions and or any other transfer of infnmation for any reason. 
39 
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1 Socaic system functions arc those functions applicable to the conea operatian of itc SPD ard the provision cf 

2 required resources to multiple secure user functions. Secure user functions arc those applic^lc to ooe or maltiple 

3 PSO loaded into memory of the UCDPS that lequires the SPD and 

4 operation Secure user functions arc usuaUy an integral part of , or imcgraUy linked with, a particular PSO and 

5 loaded into the SPD as required A PSO ibm is snppUcd by the service pr^^ 

6 fimctionswouWusuaUyaa as a secure user fimcti(m,ali^ 
7 

8 The prefenedSFD consists of the following: 
9 

10 1- It provides a tanqwproofenvironmem^ch is not practi^ 

11 indudinganenq)tt at analysing cr tampering with one (H-inultiirt^ 

12 tamperproof environment This tanpcrproofenvinnim^ 

13 lowwn art to moutor the maintenance 

14 invalidating the contents should iniBifer^ 

15 invention stores secret information i nriffpmdm i ly of whether or not the UCDPS is active, pan or aU of die tamper 

16 cteiea and data invalidating methods preferably nanain active on a conti^ 

17 tte McurexmcroprocessOT 20 (Fig 1) and <ff a microprocessor integral 

18 powered and periodicaUy awakened from a low power sleep mode to perforai one or multiple houskeeping 

19 fnr]ctions,mcIudingnu2nitoriiig and or activating various iiunu^ 
20 

21 Secret inforaMtion that may cmnpcomise the secure nanue of multipb 

22 backed Static RAM (SRAKO, a storage medium that may be rapidly 

23 spedaUy created suhrwitine thai cycles through ti» memory <tan^ 

24 system that triggers automatic invalldaticms of static memory storage elements as is known to die art (reference 

25 Dallas Semicwjductors Secure Microoomrollers). Ihe invention aUows far any known method and qjparaois <f 

26 detecting physical tampering witii die SPD and aUows fw any method and apparatus of invaUdating secret 

27 inf onnation in any type of memory stoErage device. 
28 

29 Secret infomation that is only likely to c om promise the security of a particular SPD may be stared in SRAM, 

30 however, information that shouW survive invalidatira of die 

31 volatile locaticms. When this infcmnadon needs to be programmed^ 

32 course of operatian of the SPD, it is preferable to use flash memoty or an cquiva^ 

33 require alteration after initial prognnnming it may use any type of no^ 
34 

35 MOTnatian not requiring secrecy (as far as practical) and that is consistem across muhiple SPDs is prrfenAly 

36 implemented in mask ROM durirrg the manufscmre of the SPD. This usuaUy includes initialisation nyutioes to 

37 program other infomation into the SPD. When constructing an SPD fliat is not within the system CPU. die CPU 

38 chosen for ttic SPD wiU usually ahcady have a boa or initinlisnrion routine embedded widtin. Those experienced m 

39 die art will ^qaedate diat faiformation stored as masked ROM inside an integrated circuit QC) package may be 

40 analysed, however, this is usually with great difQculty, 
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1 

2 Where certain uidque features are icquiitd in each Sro 

3 isnot cssentiaU they are preferahly im ple n mni ed by laser p ro y 

4 <Bie(vixuiltiplepassw(mlsthm are applicable 10 a panics 
5 

6 Ihe secret processing device (SFD) is a device that is not practical to tamper with. This device contains various 

7 secure functions that may pexfonn useful functions for suitably configuitd software objects. It also provides various 

8 secure functions thai permit a provider of protected software objects, refened to as service provider, to create an 

9 effective xnethod of reming software to users. A xiumber of alternative inethods of 

10 discussed. The method is secure &om the perspective of the producer of the software objea and provides a 

11 oonvexiiemtneans for a potential user to have access to a large amount of software that t^ 
12 

13 Ihe invention allows that attexxqits may be made to physically tamper with the SFD. Hiis may be for any reason, 

14 induding the unauthtnised extractioQ of secure information from the SFD. Secure system tamper detea fimctions, 

15 using any method and ^jparatus, may be used to detea tampering and or to take direa (that preferably Includes 

16 iimnediately erasing and or altering information within part or all secure storage devices) and or indirect (e.g. via 

17 enor functions) acticm in the event of tanqxnng. Fan of the tamper detect fimctimis allow for any iiKthod and 

18 ^yparatus, referenced as secure system continuity functions to confirm that one or multiple of any muipqpiu of 

19 merJianigns reoiiain mtacL One method is to include bidirectional togic at each end (or any other locaticHi) of dte 

20 various signal lines to check for continuity of signal traces and or functioning of attached logic elements in those 

21 instances where the normal functicm does not permit this. This bidirectional k>gic is usually connected, direcdy and 

22 or indirectly, to addressable dements under the control of suitable software routines. Ihe invention also allows for 

23 any method and i^yparatus to detect loss of dodc to the realtime dock/calendar and or any one or multiple other 

24 docked dements, mduding routines that periodically read these docked devices (directly and or indirectly) to 

25 ensure that there are the expected increinemd chaises secondary to an active dock. It is p^ 

26 thetamperdeteamechainsaisrcmamfimctional when the system power supply is 

27 battery power to maintain one or multiple microprocessors within the device in an operadonal mode, enablhig them 

28 to execute various system functicms. Loss of battery voltage below a predetermined threshold (as detected by an 

29 mtegratedAA> converter) inay trigger the erasure of part or aU secure eleniCPts. It is pre^ 

30 timed functioD is implememed (e.g. RC network) that must be periodically refreshed by one or multiple 

3 1 microprocessors. This confirms presence of an active CPU and failure to periodically refresh this fonction would 

32 usually cause a default erasure and or alteration of secure storage dements. 
33 

34 The invention allows thai various errors ars/i or validity failures and or any processing error and or any other event 

35 may be recorded by secure system error mooitcring routines (usuaUy in^eooented within secure system memory). 

36 These may perfomi any functioDS, that zxiayixidode: 

37 recording aibncnxud events; and or 

38 in response to a predetermined number and or types of abnormal events (and iff any other reason) take one or 

39 muhiple actions (that may be any acti(Bi, induding caUing other fimcdons to part^ 

40 and or 
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1 rcium processing to toe system CPU (with ot without eircr leponiiig). 
2 

3 Ttoemay be a requiicmem to disable pan or all of the SPP and or part or aU of other flppmnw ^hnt the SPD may 

4 be imcgraied within (c.g. system CPU). Hie functions to pcrfonn this are rcfereocwl as secorc system disable 

5 fti n d ions and they may be implemented using any method and flpparafiiR^ mrhTding - 

6 the gcncratian of various clocks (and cr any other meaningful signals) that trigger immediate erasure of volatile 

7 elements; and (ff 

8 setting/dearing of flags (preferably in wm-volatilc locations) that may be read by various other functions that will 

9 xiotcondnue(andorany other ootooine) in the evem of an unacceptable value widiin a flag. 
10 

11 The invention also allows for any mediod and apparatus that may tempwa^ 

12 disable functions. This may be fw any reason, however, the primary <Hie is to stop inadvertent triggering of these 

13 functions during software development. The mvemion allows fw any method and iQjparams that prevents 

14 infiingemcntof system security when the disable fimctions are in part or whole tena^^ 
15 

16 2. It provides one or nwhiple blocks of memory arranged in a manner that prevents unauthorised analysis of the 

17 contents <rf such memory unless intended This mcnwty is referred to as secure men^ 

18 orallof the memcny contains information that is not secret 
19 

20 T^iiKmory blo(tonmy use any types of memory storage device, in any mix ^ 

21 types of niemory storage devices to meet the requirenients of spedftcfuix^i^ 
22 

23 priinary purpose of secure memory is to provide part of an ^jparams that, when con^^ 

24 of processing informaiion within the secure memory and a means of transfer^ 

25 external locations, aUows cenam secret processes to occur and or certain secret information to be securely stored. 

26 The processing of infonnation within secure memory may inchide the use of any mix of secure and unsecuie 

27 jTOgrams and or data, and any imeraction with resources that are external to the SPD. 
28 

29 An SPD usuaBy has oaae or gmltWc Mocks of memorvsiCHage devices tha^ 

30 of memory storage devices arranged to make it nnt prBcricpi f^r unfluthorisFd partiFs to analyse the vahics gortd 

31 within part or all of said m emor y storage devices. 
32 

33 The memory storage devices preferably: 
34 

35 (a) include axe or muMple bk)cks of Static RAM that are made noj-volatile by mnmyyii», to a non-disrupt^le 

36 power source that is preferably a rechargeable banery fauegrated into the device and or its enclosure, and or a 

37 rechargeabtebatery external to said device, and said Static RAM is used m part cr 

38 that should usuaUy be invalidated in the evem of any tampering with said d^ 

39 c onn ected directly and or indirectly with one or multiple n^thods and apparams to detea said tanqiering and 

40 invalidate and or activate invalidatioo^ of part or aU of said secret irf^^ 
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1 invention also allows for the ioclusion of any method and aj^noatus to invalidate in part cs all secret infonnanon 

2 stored within said static RAM for any other reason. This nsemory usually stores: 

3 (i) secret system functions tmplcnnented at least in part as software rontineSr that need to be maint^ned in secrecy 

4 (as far as practical) and that cannot be stcHtd in encrypted format in an external locatico ™^ loaded decrypted as 

5 required. An exanq>le of this may be the master deoypticn algcridun and or keys, if this was loaded from an 

6 external location it may be analysed and used to break the security of other encrypted infonnaticai. Initial loading of 

7 decryption algorithms may be possible as long as sufficem fnnctiaD is kept securely within the SFD. Said sufBctem 

8 fancticmnuy in part or w^idc be a hardware inq)lrmrmatiCTi of a decryption 

9 (ii) infoimaticm that xnay or may not need to be secratfam is required to oonectlyin^ 

10 information, this inay include tiie loading of other infonxiation. 

11 Gu) ntf annati(m that it is detennined, for any reason should be within the SFD on a continual basis . 

12 (iv) information that is loaded firtsn external resources. This may include additicnal secure system functions loaded 

13 in encrypted fonnat and subsequently decrypted and may include appropriately encrypted objects supplied by an 

14 authorised party to modify infonnationwitiun the SFD. 
15 

16 The mformation described in (Ot CnX (in) and (iv) constimtes part of the secure system functions (53 of figure 3) and 

1 7 consists of inf onnation that is known to be available within, or aUe to be loaded wi thm die device when required to 

18 perform the functions that are an int^ral part cf the SFD. System functions are also known to have been carcfiiDy 

19 prepaied and scrutinised in a secure environment to ensure that they donot cormpt and or c omp r om ise tiie secrecy of 

20 information within the SFD. Those secure system functions that are loaded into the SFD in encrypted fonnat usuaUy 

21 have tamperproof validity chenkrng processes integrated into their strucoire to ensure the validity of the information 

22 prior to associating it with other secure system fimctions. That pan of the secure memory th^ 

23 functions is referenced as secure system memory. 
24 

25 (v) other infonnation that may be loaded into the battery backed SRAM and may include one or multiple secure user 

26 functions (54 of figure 3). These are tuaially software objects supplied by various producers that have a requirement 

27 for interaction with the SFD. Ihey usually require appropriate conversion of the software objea by an authorised 

28 service provkler to cme tiiat may be recognised and processed by the SFD and such an objea is usually referenced as 

29 protected software objea or PSO. A PSO is usuaUy encrypted and preferably has appropii ate validity rVyJcrng 

30 miyhanisms induded to eiuure that the infoimaticm is as supplied by the service provider. Those parts of the PSO 

31 that are 10 be transferred to locations widtin the SFD, v^iedtcr data and or ootnputer instructions, are rp f pr mrd as 

32 secure user functions. In af^dications ^vhat dus information is data that is to be processed securely using secure 

33 system functions, arrirtwrtal and or deliberate tampering with the data usually has no potential unwdcome 

34 consBgnences witiim die SFD as die processing is p er f ormed by known processes. 
35 

36 (b)staticRAM(SRAM)diatisncabatterybackedandcrdynaimcmemory may beusedf^ 

37 described in the preceding (a) pan (iv), and or secure user functions in (a) pan (v), and or any odiei infonnation 

38 loaded into the SFD. 
39 
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1 (c) an area of programmable and orreprogrammaWe mcmtffy that remains mm-volaiile vphen all power is losL This 

2 prcfaably includes ooc or nmliiplc blocks of intrinsicaUy non-volaiile and iqa o gtamm able nnuxy eg. flash 

3 niemory and or EERONtinchiding any required con^XHK^ 

4 <rf said flash memory and or EEROM. Partiailarappl^ 

5 survive an erasure of SRAM for any reason, inchufing acddcmal erasure. One (rf the feamres of SPD is iis 

6 c^»hility, with Qjpropriaic softwa^ 

7 encrypt infonnation aored cxicmaUy, preferably on a mass stor^ remain 

8 retrievable if the SRAM cooicnis are com^xcd. By ret^^ 

9 suitaWyiiotBciednsutine may be used to retrieve thi^ 

10 with exteraaUy encrypted inforaiation as the decryption key is i^ 
11 

12 Windudes one or multiple blocks (rfmemoty of mask ROM that is ptog^^ 

13 memory storage devices and said nmk ROM preferably inchidesa^ 

14 information for each device, <me method of customising the d 

15 program data into other storage devices. 
16 

17 Tlie current system functions withm an SPD preferably have a version number stem! in an cxtcmaUy accessible 

18 location.eg.dualponmemoiy 19offigure 1 thatmay bercadbyPSOstoensureiheSro 

19 resources tomeet the reqairements of the PSO. 
20 

21 3. It provklcsai least CM secure nncioiTOcessOT 20 and a method <rfd« 

22 any other addressable functions (e.g. timer, realtime dock, decryption/enciyption engines, interfaces, etc) into the 

23 wWress space of the secure micn^sroccssor 20. The mic^ 

24 teads and or writes and or processes, in part or whole, is not exposed to unauthorised analyst 
25 

26 The secure miaopiocessor 20 may be continually powered to perfonn reliable lan^ de^cn and mvalidation. 

27 The power source is nsnaUy shared with the battery backed SRAM and where preset 
28 

29 It is prcferd>le that the reset line on the secure miooprocessOT is connected u> the reset line of the host UCDPS, 

30 enabling it to perfcm ernr diecktag on internal si(^ 

31 UCDPS. 
32 

33 Insecure microprocessor on reset (azKi or any odicrqjpnJiHia^ 

34 periam various houskeqring duties while waiting for one or nmltq)le nmemipts generated by die UCDPS, and a 

35 the readtag of <« or nwitiple appropriate vahiesftom<me or more pol^ 

36 indirectly written to by die system mtaniprocessor, and or a^ 

37 anyooeornmltiplcoiherftmctionsofiheSPDtofimherinienuxwithiheUOT 
38 

39 ^."nieSH) predominantly is a secret iHocessor of infcmnation and a secured 

40 in part or whole is generated (induding by decryption) within the SPD. b is an essential fuitttian thai there is a 
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1 means of transfening infonnatian in axid oui of the SPD without c omp io ni iang the secoiity of isfonnation that most 

2 reaoain secreL This aitails two basic lequiremous: 
3 

4 (a) The pnyvision daatcs multiple physical mtofaces between SFD and sources of infonnatioo. The invcmioQ 

5 allows for any known imeiface. This inchides infonnation that is oansfened via the bos of the UCDPS, thai is the 

6 usual method when the software objects using the SFD are execudng and or being processed by the system 

7 micioprocessor* and or infonnation entering through one or multiple pests that may be read by the secure 

8 niicroprocessor and or any other function within the SFT>. 
9 

10 The preferred tnterft c es include any pons that are part of the secure microprocessor or any other pa rt of the SFD, 

11 dual port menuny 19» latches and or registers (unidirectional and or bidirectionalX FIFO memory, a &cility for &e 

12 secure nuooprocessor to have direa access to the address bus of the UCDFS and move information undo* 

13 progr amm cdcontnriandorby direa memory access (DMA). 
14 

15 (b) a method for the SPD and UCDFS to detennine which locations have valid infionnation arid a method of acting 

16 Gsi this information. The information may be ootronands and or piugiuuis requiring execution and or data for any 

17 reason and or any other information. Tbh is a function of^ the secure system functions aiul specifically those 

18 referenced as secure system VO functions. They require similar processes to ttK>se provided by any operating system 

19 and are within the expertise of those experienced in die art of writmg operating systems. Moreover, as the SFD 

20 i n c l u de s functions to load aiui execute externally supplied software objects that may securely modify the various 

2 1 secure system functions, nxire flexibility is provided with an SFD than many UCDFSs having part of their cperaiing 

22 system in memory that is ix)t easily mod i fif^ j, 
23 

24 Tlie preferred embodiments of the invention provide a dual port memory 19 dm is accessible by the secure 

25 micnnirocessor and the system nucroprocessor. This occupies a prcdctennin^ part of thg flAfrpjee map (that may t¥> 

26 programmable) as previously described with reference to Figures 1 and 3. 
27 

28 The next pan of the desaiptionmay be better understood by reference to Rgure 4 nf tfw drawhigg that ghniyg; 
29 

30 A system pmstructme 199 is established that noay have one or rxuiltiple addresses which the system ni^^ 

31 writes to, referenced as system conmiand input pon 200 and cne or multiple addresses that it reals ton, tefe^ 

32 as system c nmmaml output port 201. The SPD reads c omman d input ports artd writes to command onqmt pons. As 

33 these are usually part of a Uock of memory, they may be dynamicaOy reconfigured by w^ ' p ^ up i i atr- interactian 

34 between system microprocessor 1 and secure rtucroprocessQr 20. ThisreccmOguring may rhm^. locations and or the 

35 number of addresses constiniting a porL It is I8tfend>le to have a system input data port 202 for the transfer cf 

36 infonnation other than commands from UCDFS to SPD and a system output port 203 for non<ommand transfers 

37 ton sro to UCDFS. In die case of dual ponnienvry a large block of addresses t^ 

38 infonnatioi and the addresses and sizes may be dynamically configured. The acoial allocation <tf iiqmt and ou^t 
,39 pons is preferably a function cS the SFD and is likely to be a dynamic state. In a single tasking environmem tiiis may 
40 be die only interfacing required. The indusion of a DMA chaimel 125 on the SFD is ds 
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1 large blocks of ixrfonnation in and out of tte 

2 data lines 221 from the DMA ocmtroller 125 are multiplexed with similar signals firon system nacroproccsscff 230 

3 are muliqjlcxed in 235 fior interfeoe with cxiemal memory. Address and camrol Lines 222 and data Dines 223 arc 

4 multipiexed (not shown) with similar signals from secure micnggocesscg 20 for trgngfernng mfrnmatiftn tn anH fir*" 

5 secure memory 53 and 54. 
6 

7 The invemiMi also allows for the SFD to handle the rpquiremenis erf nmltiple PSQs in a mniri Tflnifing wnm nnmfnf 

8 and that the system command and data ports as described may be sufficient if the UCDPS operatmg system is 

9 modified to send a command to an appropriaie location in a command port to insmia the SPD of a task diange and 
10 does not proceed until the command is acknowledged. 

11 

12 The preferred method is to use the system ccsnmand and data pons for establishing certain parameten within die 

13 SPD when a PSO first requires access to the SPD. The PSO would usually send informaii<m requesting a user 

14 partition 54 of Figure 3 and a user port strucmre 205 of Figure 4. The SPD would usually respcntd with availability 

15 of this memory and dynamically configure a user command input port 206 and or user command output pan 207 

16 and or user input dam port 208 and user data output port 209. Ihe PSO stores 

17 location in its own address space and directs aUconmiands and other information 

18 otherwise appniipriate. A nmltiiaskmgkcrnd within secure system fi^ 

1 9 configuration as pan of its ftmctitnis. Additional PSOs create there own user pons, e.g. 2 10 and 2 15 of Figure 4. The 

20 space used by these ports is reallocated wtiai a software objca tcnninates interaction with the SPD, Any one a 

21 mnhiplc user pons may be dynamically reccafigured as required while still in use with a particular PSO. This 

22 process permits the SPD to be transparem to the UCDPS task handler. 
23 

24 5. Secure System and Secure User Partiticms: 

25 If the SPD is to profvide any useful ixt)cesstng of infOTmaiitm supplied, it requires a method of transferring 

26 infoimadon into secure areas where it may be further processed. As described, a potential unsecurc process is 

27 in&t)duced into an SPD once the fadhty is provided to load exteniallys^ into secure memory 

28 in part or whole consists of executable code. PSOs that are to modify the secure system fimctions are usually 

29 provided by the service provider fixjm software objects in tteir control and the security is good. When a PSO is 

30 produced by a Producer, there can be no such guarantee of the mtegrity of the contained program code. The 

31 executioD of this nuuerialinay read iiifamationfiom secure system functi^ 

32 nndtiuser system, it inay also coinpromiseitifomiatiQnrelevam to a^^ 
33 

34 The prcfen^ mediod is to partition the available secure memory into parititions as previously described that 

35 includes a system partition and one or multiple user partitions. Programs within a system partition may access any 

36 secure mcmeory address* Pn)grams within a user pariidon are confined to their own 

37 using dual latching of nistruction sources as previously described 

38 ooe user partition fitan any other. An alternative is to peifonn this function with software, by ^^w'^rfng that each 

39 njsiruction executing within a particular user partition is not intended to make an inwiifhrrriyd access to system 
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1 menuxry and or other user memozy. Another solution would be to aUocate a separate microprocessor to one cr 

2 nmltiple user functions. 
3 

4 When the secure system kernel switches processing between user functions, it progrBins logic with the address 

5 boundaries of the current user partidon that is c ompai cd with an instruction. A separate user partition is allocated to 

6 each user function. 
7 

8 The inveiuion allows for any method and apparatus that prevents any particular user fintcdon from accessing^ in an 

9 imauthorised manner, secure information within system partitions and or other secure user partitions. The m^ ho d 

10 does aUowvaHd transfers of processing across system and user functions. 

11 Itisprefeniblethatthesizeof the partitions may be varied, preferably uxxler the com 
12 

13 6. Initial Programmirig,Reprograinming and Erasure of secitt information: 

14 The invention allows for secure system initialisation fitnctians (SSIF) that may use any method and apparanis to 

15 initially program secure system functions into secure locations within the SFD, preferably iiuo battery backed static 

16 RAM. This usually occurs prior to release of the SPD from a secure environment. The SSIF are part of the secure 

17 system functions, however, tiiey inchide infonnation that it preferably not made public, however, the invention is not 

18 c omp r om ised should this occur. Fen' this reason tbcy are suitable for use in mask ROM. Any other secure system 

19 functions may be included into mask ROM, however, this is not the p t efe ned location for any infonnation of a 

20 sensitive nanxre. It addition to security fiacti^ the xnchision of the majority of secure system functions in 

21 reprogrammable stcHage dements allows them to be readily updated. The invention allows that tiiat the SSIF may 

22 be used later to erase and or modify and or ic }Hugtam the SFD at a later date. The invemkm also allows that pan or 

23 all of the functions within the SSIF may be called by other secure functions as part of die nonnal q)eration of ihe 

24 SFD. For exanqile the routines to load informaticm from external locations and to fW ft ^^ t u f H infonnation into flash 

25 memory have obvious multiple uses. Certain provisions within the SSIF should only be cq»ble of use vAtax it is 

26 known that secure information witiim the device is invalid. 
27 

28 The prefened method and apparatus is to store the Secure System Initilialisation Functions within (preferably 

29 secure) storage locations prior to enctq)Sulation (dial may be the package of an IC and or any other additional 

30 packaging) of die device at the time of manufacture. As a ™""nmi^ the SSIF infonnaticm mcluded within die 

31 device at the time of mnmifnn ture should be sufficient to Inad and nr pmgr am nthg rn^arms^tyn hup riflvic^ ^mrf 

32 wfaereneoessary initiate processing of said other iisfbrnution. This provides an SFD ttenmodify itself as 

33 required. Said odier infiBinaticm nay be any infonnation and may inchide additions to die SSIF iK>t ^^^<m ai 

34 matmfactnre. The storage locations should retain SSIF Actions (in pan or ^^le) when other infonnation within 

35 the device is erased for any reason. The SSIF may indode any required suppon hardware to program particular 

36 storage devices, eg. charge pun^ and or supply of q)edal vcHtages and or timers and or glass windows to erase 

37 EFROM. The SSIF is usually implffmffntfld widun secure memory (that is preferably mask ROM, however, it may 

38 be any sdtable type of storage device) and usually mcfaules functions: 
39 

40 to respond to a command to activate one or multiple SSIF fixnctions (and or any other necessary commands); and or 
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1 to reiricve externally supplied infoimatiGn, that may use any method and apparatus provided for in a particular SPD 

2 and to program part or all of this infonnation and or any other informatiGQ into required locations; and cr 

3 to finish proffl B^'^'^y and C7 

4 to verify that the programmed mfcBination is error free; and or 

5 to ter minate the process such that various ^ipli cable funcdons remain available as secure system resources; and <ff 

6 to direa processing to pan cf the information tliat has been programmed (and or otherwise initiate access tt> this 

7 \ I ^f ^^ 
8 

9 (The ability to load infonnation and subsequently direa processing to this information is a key aspea of die 

10 invention. Wifli the addition of a suiuible decrypdon method within the SPD, the SPD may load encrypted 

11 infcmnation. decrypt diis infonnadon and then direa processing to said decrypted infonaaaiion. Hie addition of 

12 routines to pass information back to external locations coiiipletes the process. Th^ 

13 later). 
14 

15 Hie SSIF and any subsequent secure system functions may load information from any rdevam external location to 

16 assist the process and or rnaycaUroutiiieswithmexteniallocati(m CO assist the pnxess. 
17 

18 Any SSIF fimctiondiatanows programmed information to be read back for vcri^ 

19 occurs) may use any method and apparatus to prevent a user from activating thk fimcrinn at q tfltw anft pf>ssiMy 

20 being able to access secret hxformatiai. The piefai e d mohod flags a non-volatile programable location once die 

21 readback process is ooo^lete in a manner dial does not leave said flag clear in die evem of a partial readback. The 

22 pidei ted mcdiod to prevent die flag re mainin g dear fai the event of a partial iBadhack i.< tn ftgrivurft n wr^ trM ^g ^mw 

23 that times out after a predetemuned interval and sets die flag preventing further verification readback by trigggering 

24 a flip flop. It is preferable said flag can only be cleared after secure storage elements have been erased and a- 

25 odierwise suitably modified. litis is not a ftmctiondiatslvmkl 
26 

27 Disclosure of die information constitu ti n g die actual SSIF is unlikely to jeopardise die security of odia secret 

28 information, however, it is preferable thatunaudiorised parties are prevented from initialising and or erasing and or 

29 reprogrEtauning the device and any method and appamus may be used to iniplemem dus. It is prefer^le diat diese 

30 processes are password protected (using any password system) against unauthorised nse. 
31 

32 One mediod of implementing SSIF wouU be to serially clock die required infonnaticm into the device via i fttf^W 

33 (diat may require a certain predetermined sequence to activate the process). This may not require any predetermizKd 

34 software routines widtin die device. 
35 

36 Iht prefcrted mediod uses a secure software routine executing from widun secure ROM dial uses die Tuned 

37 Password Access process described below to activate p ro giaim dial pofcflm die functions previously described for a 

38 SSIF, transfming die rdevam externally suppUed (and usually secret) hxfonnation to the relevant iwtgmiii storage 

39 devices and subsequendyiiddating processing of dusinfcmnation. 
40 
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1 Hie actual method of programming infonnatkm into the storage devices will depend on the type of storage device 

2 and may use any known method. 
3 

4 The timed password access method makes it unlikdy that the password protect rctaxnnig 

5 functionaUty for those parties with the necessary knowledge, even in the preso^ unsuccessfiil attenq)ts 

6 at programming end or deliberate attempts to inactivate the device (eg. oon^ter viruses). This ttymrflyty with 

7 password systems that pennanemly inactivate the process after a predetermined mmtber of attempts, possibly 

8 preventing further programmii^ of the device by authfflised parties. 
9 

10 Ihe invention aUows thm a preferably uiiique password is programined (usually as par^ 

11 Without access to this unique password the probaibility of unauthorised activation of SSIF is not apractical outcome. 
12 

13 In an SPD integrated within a system microprocess<7, particularly one with multiple microprocessors within, the 

14 SSIF may reside in memory locations exchisive to one of the chi diip CPUs and be transferred where necessary, 

15 using any internal mechanisms (including software), to any required storage devices: and or 

16 may be loaded into memory locations shared by multiple CPU's within the package; 
17 

18 and or may be loaded into multiple locatiCDs, each location of ^ch is exclusive to a particular CPU within die 

19 device. 
20 

21 The invention allows thai only one CPU or a subset of available CPU's may load information ks other CFU's, and 

22 or that particular CPU's load information for their own use. 
23 

24 The preferred method of activating the SSIF functions when the SFD is within the system microprocessor is to load 

25 the password into one or multiple CPU registers and execute a specially created instruction tiiat that activates SSEF 

26 to read the password and continue as appropriate. An alternative is to ^tx irff the f^mctions thnr detect y^rf process 

27 the post instruction symbol stream as described later. 
28 

29 The timed passwcnrd access (also referenced as TPA) may use any method and apparatus. It prevenis any practical 

30 gain from attempting unanthorised access to any particulflr pas&wnrd evgnt. It Is based en a password of 

31 such c omplexi ty that in practice it would take such a long time to try all the permotatiims that it is not practical to 

32 gain access to tine protected event. Said conqxlexity is assisted by incorporating a delay nw^himigm that restricts the 

33 frequency of annnpred access. Said delay may be variable for any reason (e.g. to allow for legitimate errm) and 

34 may be created using any method including software loops and or physical delays. Hie delay may be a hieracbical 

35 system that irtclndes difEereot delays depending on tiie mmxber of incorrect attenq>ts at ^cess. It is preferable that 

36 said delay is unaffected bv powering down of the device to prevent rsgpAd pftwer eycimg rfrfpating A>ipy mprhmimc 

37 One method and iqsparanis consists of the following steps: 

38 a) create one or more password keys tiiat are stored securely. 

39 b) create a means to store a cumulative conm in a device that is reprogrammable and prefer 
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1 c) cxcate a means to genome a known dme interval. The invention allows for embodiments allowing a variable 

2 imerval this is inostreadOy achieved by a software loop. 

3 d) create a means to input a password, eg create a speci fic instiuciira that can pass externally supplied information 

4 to the relevant routines. 

5 e) create a means to in[Wf\mctioa required stKSild password succeed 

6 f) user activates d) and e) indnding transfenring password and target fimciion to the process. 

7 g) check the value in cumulative cGum in b). 

8 h) if less than certain predetennined vahie then go to step j) else proceed. 

9 i) invoke c) to generate time delay. 

10 j) increment the vahxe in b). 

11 k) confirm step j) has occurred if there is a chance tha external influences may mterfm 

12 ])ix^tpasswordusingd)andcompare withkeyma).Ifarnatch gotostepo).elseproce^ 

13 m) set flag in external memory to indicate failed attempt at calling piugiam . 

14 n) exit* to try again enter at f). (if predctamined count above ictry will iTnmp^mA A>h»rttn«^^ q ^\^y ^\}] 

15 encountered every time). 

16 0) clear flag in external memory to indicate success. 

17 p) proceed with called process. 

18 q)retDm to external memory when finished. 

19 Note: fcrpasswonis that pnKea access to processes that are implernented after destm^^ 

20 areas, software nmtines and associated key codes should be stoed within memo^ 

21 Hie advantage of TPA over a limited number of attenqns that then blocks the system, is thai it prevents the 

22 a cn dcnrni and or deliberate pennanent d i s abl e m e m of part or all of the device. The mvemion allows for a mix (f 

23 me&ods. 
24 

25 BlK1f\>t)TC Siymmirft; Qoe Of mcxt processes during mamifBCtnre and or initial p rogr am ming and or iKypna^ 

26 operation of the invention may need to identify parameter unique to a particular PCPU aztd or ESPD axKl or unique 

27 to a particular goun of PCPUs and or ESFDs ffor any reason, inchiding for iggmpift, mfwwiring a wmw Awnhftcfi^ 

28 to ( H ir rmfn e a password to activate the initialisation prpgrom described above). Hiis may be done by any method 

29 kitown to the art inchiding pby^cal markings on the outside of die CPU package 

30 one or multiple serial immben and or any other klentifying symhok to tneimteri wth\n rK* AnHr^ ^?«"y t»w 

31 time of manufacture. These are amenable to retrieval under p ro gnmi control and or any other form of fl ^T^™!'^'*- 

32 process using any method and apparatus. Hiis provkSes an automatic method of uniquely klentifying a pmrrCT^"' 

33 device and or ffoap of devices. Ibis is i t f ere a ue d as an electronic signatinr and is usually included as pert of the 

34 SSIF. Said one or nmttiple electronic signatures may be transfened to an external location using any method and 

35 apparatus and used bv an authorised partv as an index to secure infonnaiion aond withm that par tifmiar Awrg (md 

36 or for any other reason). Ilxe prefened mohod v^icn the devte is a PCPU i^ 

37 '^Asetx executed stores said serial number from a nm-volaiile storage locatjcn within MTP m a jw irH nr™^^ ^ ^ 

38 register. Hus process is usually accessible to anyone, although it may be protected by passwords and or any other 

39 method. For ESFDs the serial immber is usually read from an addressable location within tl« ESFD by the system 

40 CPU. In the case of the ESPD described with reference to figure one. the secure system mprf^. funcdcms 
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1 piugiamiig d into flash manory 708 would include the decDonic signanire and v/bm the micropn)ocsor 707 is first 

2 activatedby an intemipt an 731 after prograimnmg of said sec^ 

3 transfer the eleoitmic signamre to a predetexmined iocation in the dual port memory 704, where it is accessible to 

4 the system microprocessor, 
5 

6 The invemion allows thai a secure system user password ftmcdoai may be included within one or multiple PCPUs 

7 andoroneorinuliij^eESFDsandthisnmy be required to activate part and or aU of the w Inthecaseofa 

8 system CPU it may also be required to enable the ocnnal processing functions of the device* providing a secore 

9 inethod of stopping unauthorised use of the UO^PS oomaming said system 

10 be used to implenient this function. Ihe usual p r es f nc e of programahle memory and programable non-volatDe 

11 storage elements provide fior a pturality of methods. The invemion allows fix a multi-tiered password system. The 

12 preferred embodiment is a dme based password system (as discussed elsewhere) that resides in secure system 

13 memory and activates nmtines that reverse various lodes placed on pan or aU of the device. 
14 

15 The password functions usuaUy include roumies to disable pan or all of the device in re^xmse to a specific 

16 comniand, a method that requires the user to spedficaUy disable the sro, and prefer 

17 password; and or funcdons (usually implemented in hardware) that disable part or all of the device in response to 

18 reset and or power down and or any other criteria tnchiding automatic timeout (preferably programable), the 

19 password processmg system is not usually disabled; these functions automatically disable the SPD and or other 

20 appUcable devices and require the correapasswonl to reactivate the SFD and or other appl^ 
21 

22 Tlie password(s) is usually stored in secure noQ-volatile system ixieinory. The device may 

23 a known default password and or the password system disabled. Emry to the password system may use any mediod. 

24 hi the case of a PCPU this may include use of a special instruction and or a suitable Po^ Instruction Symbc^ Stream 

25 (PISS). In the case of a ESFD it may involve passing commands using one or muMple methods as described 

26 elsewhere in this application, usuaUy by wridiig and or reading predetenniiied address A user accessing 

27 the device with the correct password may be able to change passwoETds. 
28 

29 The password system is usually constructed to allow the service provider to reinitiate or disable said password 

30 system by supplying an approp r ia ie software object, preferably a PSO. 
31 

32 The inclusion of at least one unique and secure code within each device together with other suitable support 

33 resources allows a phmdity of methods of secure information oansfers to be established between an informati<m 

34 provider with access to the secure contents of the device; and or pnivtdes for the secure tn 

35 revcne cfirecdoo, and or penoiits infonnation to be specifically encrypted fx a particular secure system. These are 

36 lefereuL cd as system local code functions and they assist the imptemeotaticm of multiple secure i^ipUcadoos, 

37 hichidmg the secure transfer of hif omaation to a device that can verify the source and or validity of the information, 

38 andorthesecnresupplyof ixifonnation fitui a particular device tbm the can be verified fo^ 

39 infonnation receiver (widi access to die secure informatioa within the cHigniating secure system CPU); this may be 

40 used for any reason inchidingseccrecornnmnications and or die secure transfer of dectrom 
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1 

2 Tbeindusion of one cr multiple system groQpc^ 

3 (eg. those destined for the same counny) may be used for any reason. Hiis may iichide the lesffiaion of cenain 

4 PSOs to particular group codes. One or multiple group codes 

5 part or aU of group codes may be user programmable and or password protected TOs may allow, for example, 

6 parents to restria childrens access to particular PSOs. 
7 

8 The secure local and or group codes may be data and or actual computer iristxuctio^^ 
9 

10 The effectiveness of the software distribution system forming p^ 

11 provider having access to secure infwmation within ca^ 

12 mumpleSPDs enabling creaticm of PSOs thm have general applicaiion»an^ spedfictoa 

13 particular SPD. 
14 

15 The faicluam of secure system command fimcrions to deteainstruct^^ 

16 infamation supplied to the SPD (using any inethod and qjparato 

17 generated by secure system ftmctiomrequestmg the SPD to perffflmcena^ 

18 inchide: 

19 cammeoce execution of iiuenial programs from any source; and or 

20 pass data recdved from external sources to internal fuiKtions; and (ff 

21 receive a request from intenialfimctiaDs to iransfff processing back to the s^ 

22 accept data from internal fimctions for nanfcr to a location readable by the syst^^ 

23 provide a r omm n nd structure within the SPD to coKirdinatc other system functions and, wtm sqjpropriate, interact 

24 with secure user functions; and or 

25 whcxt ^licable, co-ordinate imeracdon with realtune decryption processes; and or 

26 any otberrequired function. 
27 

28 The invemiOT allows for any method that pennits an SPD to monitor a PSO as it is executed in enter to detect 

29 various specially constructed process transfer hctrucdons and <g other suitahie mgrfcrn that mrfirfttft that iTtfrnrfi/vn 

30 with the STO is required. This particularly appUes to a PCPU. where the method usuaUy mvolves the transfer rf 

31 jsocessing from external unsecure memoiy to imemal secure locations for condnued processing by the system 

32 microprocessor using secure methods and or by other embedded microprocessOTS (that may include othff system 

33 tmocprooessors, and or the activadon of realtizne decryption use eno 
34 

35 The process transfer instrucdoa may mherendy direa external programs to the appropriate intpmgi functioa <ff may 

36 require a post mstmcdon symbol stream as described with reference to the preferred embodimem. 
37 

38 Secure system command fu n ctic rw also include any functions to transfer processing back to the appiopii aie PSO. 
39 
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1 Ihe socmt system oomnuind funcdon should be smictured so that emry to secure system functicxis is in a legulated 

2 inaotmer.TtusisteadilyachiemiforanESFD whereii^^ 

3 locations that may have various validity checking pexfomied on the data. The process is mcse cooqilex for a PCFU 

4 and described in more detail with reference to a PCFU. 
5 

6 An important function of secure system comoiand fancsiosas is to direct the decryptian of incoming etioypted 

7 information, direct the transfer of the decrypted inforaiation to a suitable location and where this decrypted 

8 infonnation consists of oocqmter instructions, direa execution to the relevant stantng poim in the decrypted pi p g r am 

9 and provide any necessary support functions as said oamputer program is executed. When the hxxmung encrypted 

10 information is data this should be processed as required, which may include appropriately linking it with any 

1 1 internal and or extertial programs and or data and or special purpose funcdons (e.g. the data may be used to 

12 configure programable logic, creating its own decryptxcn engine) including a linked ooo^uter [nog i H iii also 

13 transferred in encrypted fonnat. The command functions also direct the return of cxecudoo and or rfatfl to external 

14 locations as required. 
15 

16 7. The inventicm also aUows that one OTHUiltiplehanlware devices within the S 

17 or whole from programmable logic devices. This particularly applies to encryptionAlecryption engines that may be 

18 dynamically engineered as required. The p i ef erred type of programmable logic is that known to the art (refer to 

19 programmable gate arrays by Xylinix) u^ng battery backed stadc memciy to create the intenxKmections between 

20 various k>gic gates, as this may be i^dly mscd if required. The information to transfer this information to die 

21 prograrzunable togic elemems is preferably via one v multiple addressable locations, and is preferably parallel data. 

22 Pm or aU of such devices xzmy need progntmming prior to leaviiig a secure locaticm. 
23 

24 8. Secure Oecrypdoa Secure Processing, Secure Decrypdon and Ptocessing, Secure Processing of Infonnadon 

25 Unique to the SPD. Tl^ system functions should provide suitable software routines such that, when requested by 

26 appi'opiiate commands, they perfonn a combination of functions that affect any combination of the following: 

27 • fiortfaesecuretransfer of at least a portion of eiiciypted infonnation constimtin^ 

28 from a location extenud to said physical device, to a location internal to said physical device, wherein said 

29 physical device securely decrypts part or all of said encrypted infcmnation within said physical device in 

30 conjunction and or subsequent to said transfer and 

31 • may inidnte and securely process part or all of the ensMtng decrypted information in conjunction and or 

32 subsequem to the decrypdon process and 

33 • may itxteiaa m any way widi any other intemal and or external information to conecdy said process and may 

34 temdnate said process as required and 

35 • said tenninate may transfer data and or execution to any other intemal and or external location, i iyta^'^g the 

36 external software objea and 

37 • the preceding processes occur in a nsanner that zniiurnises or eliminates analysis of partem 

38 instructions and or data: and or 
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1 • that indades cotnputBr insmictiQns and or data secuxely pmgiam naed within said pfaystcal device and a facility 

2 for an external software object to transfer processing to said computer instnzcdons and data securely 

3 programmed within said physical device, and the capability q[ processing part or ail said secuxely programmed 

4 within in a secure manner, interacting in any way with any other internal and or external inforaiation to 

5 oonectly said process and 

6 • may terminate said process as required and 

7 • said terminate may transfer data and or execution to any other internal and or external locaticsa, tnrJwriing tbe 

8 external software objea and 

9 • the pnyeding processes occur in a manner that mimmk es or ftltminfl tflg flpfliyas pf yf^rpT informg t 'O^ : and or 

10 • with the capabflity of being suitably requested by an exieroal software objea to provide information securely 

11 storedwithin. 
12 

13 The secure system decryption/encryixion functions (togetiier with the necessary command functions to load 

14 encrypted mfomiation and or to execute, and or otherwise manipulate, die infannation decoded from tius encrypted 

15 informarion, possibly in conjunction witii clear code and or other decoded information) may ei^mmfl t'^ ihe 

16 requirenwm to prdoadspedfu: secure user fimctions into tiic device priOT 

1 7 each PSO may include the secure user function as encrypted infomiadon included witiiin the 1^0 supplied to a user, 

18 resulting in a device that can securely process pan or all of a diversity of software objects. As suitable system 

19 c ommand functions may be constructed to dynamically load blocks of exviypted infonnatian in and out dS secure 

20 user (and or system) memory, much larger portions of encrypted infomifltinfn mny iw ii riii<»H nc ^ n so^twftrr 

21 objea tiian is the case with devices depe n de n t on secure infonnation pi epi ogi a m med into a limited amount of secure 

22 user (and or system) memory. 
23 

24 In addition to decryptji^ and executing the equivalemcf secure executable user fim^^ 

25 that the device may securely add to and or edit secure system ftmctionsusirig a similar proce^ 
26 

27 Tte invention also allows fig pan of tbC secure system functions to be Imded (a^aiflMy in enrryprflrt format) inm thft 

28 device from external storage each time a U(3>PS is booted (and or on any other basi^ 
29 

30 The sechfity of the secure system rotuines ami in particular secure syatm dceryprirw m »tmyg f^m^ wjthm sph 

31 is pivotal to maiufflrning the security of processes using the device, Th^ fatformflrifm m thm ^t^m ^ymm fiyw^nmg 

32 must be protected 10 a levd that xnakes it not piacticaltt) defeat and wiule any storage d^^ 

33 the secure system functions within the device, the prcfenedntethod uses banery 

34 rapidly erased in the event of tampering, and sudi a requiremem particulariy applies to any system functions that are 

35 stored in decoded fotmaL 
36 

37 Ibe transfer of tnfoimation from one location to another may result in transmissicm erron and tte invention allows 

38 for secure system enor detection functions that may use any known method and apparatus to detea and or conea 

39 these errors. 
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1 

2 As the usual locadon cf tbe SFD is within the UCDPS, informadon that is to be transferred to the SPD may be 

3 accessible and delibcfately modified, e.g. conqxiter viruses and or attempts to levose mgfrw^ the SFD. The 

4 invention allows for secure system validity checking functions, that may use any method and sppsnsns to verify that 

5 the information supplied to the SPD is as imended by the infonnatian provider, and or take any required actions that 

6 may include directly or indirectly (usually via secure sysum error monitcring routines) disabling part or all of the 

7 SFD. Where applicable, this may inchzde the erasure and or alteraticm of secure inf onnation. 
8 

9 The use of cyclic redundancy checking (cr CRQ of infonnation generated by a service provida and embedded 

10 withinaPSO and then encrypted is one method of providing secure validity rhiyirmg fiunctions. The reversal of this 

11 process in the SPD inay use any combinatian of hardware and software methods.!^ 

12 art. 
13 

14 9. Secure system decryption/encryption functions: The decryption functions may in part or ^^le be inyleroented in 

15 software to decrypt externally suj^lied and encrypted information using any known methods, including the data 

16 encryption standard. One or multiple hardware based encryption/decryption engines may perform the decryption, in 

17 pan or whole. Such an engme is one compatible with the Data Encrypdon Standard (D£S). The method of using 

18 predetenmned processes located withm the SFD to decrypt (and encrypt) information is reSerBooed as the Standard 

19 Deciypdon IVocess in this plication. Standard DecryptiGQ Processes may require the supply of various codes to 

20 funcdoncorrectly.Tlieoriginalcryptogri^y processes were developed for tbe secure comnnnucaticHi cf informatiosi 

21 between parties and they work well ^^len this is tte primary motive. When the purpose of emyption is to ctiable 

22 one party, in this case the producer, to eocrypt information to protea it against unauth(Hised use, and the second 

23 party is a user who may prefer that the infonnation was not encrypted, then the original basis far secure 

24 cryptography dianges, and the premise for security is based on the £3Ct that said second party will receive 

25 information, however it will be difOcult for them to access it in dear code. This has resulted in various specialised 

26 devices to decrypt information. As described this method does not provide a system that is 'not practical' to defeaL 

27 Tlie Oscar nutbod of secretly decrypting and execming inf cmnatitm^^ 
28 

29 The capability of supplying an SPD with a PSO thai can be to perform any desired function within an SPD 

30 that is consistent with available resources and constraints of said SFD, aUows said SFD 

31 to perform ariyfimctioQ as required This permits a PSO and or atiy odieririteni^ 

32 request one or multiple deoyptioQ functions to be loaded ixuo the SFD. Said decrypticm functions may indnde 

33 information that is used to dynanticaUy manuf&cmre a hardware decryption engine fircm progr amm able logic within 

34 saidSPD. 
35 

36 The capability of significantly varyiqg the decryption process; and or constructing h a rd war e dpber engines ton 

37 volatile dectrical connections that cease to exist vfhesi subjected to analysis, and or dynamically engineering cipher 

38 engmes to suit a PSO makes characterisation d tbe decryption process very rtiffirailt The known art does not 

39 describe such a method ami appajains, which dns invenrinn lefnems eg as Dynflmic Deeryprion m thin wpplicflrim- 
40 

Page 35 



SUBSTITUTE SHEET (RULE 26) 



wo 97/25675 



PCT/AU97/D0010 



1 By including one or multiple decrypdan processes widiin an acnial PSO, the decryption process can become self 

2 modifying with the instmcQons of the acoial PSO varying decryptioD parameters and or decryption algorithms and 

3 cr installing, in part or whole, one or multiple new decr ypti on algoritfams during the process of executir^ the PSO 

4 that are further used to decrypt additional parts of the PSO. This may occur on nmltiple occasions, in any 

5 cambinarion, during execution of the program. The key to this process is to include with the PSO a sub-routine thai 

6 can be recognised and execu t ed by functions within the SPD. and said sub-routine mitiates the process of unlocking 

7 the subsequent encrypted material. Said sub-routine is encrypted using a process that is known to be reversibte by 

8 functions within the SPD. The known an docs i»t describe such a method and apparatus, yMch this invention 

9 references as Recursive Decryption in this application. 
10 

11 Thcdecryptionprocessesdesaibedareonthebasisofcncryptkmof inforrruuionby aserv^ 

12 the secure information within multiple SPDs and the decryption of information in the target SPDs. PSOs may be 

13 encrypted for a specific SPD and or nmltiple SPDs. 
14 

15 The decryption processes described also may apply to the encryption of infonnaiion firam an SPD to a service 

16 provider. The user has no knowledge of die enoypticm process and usually little knowledge of the dear code being 

17 encrypted. The process can be made even more secure by the service provider sending a one oS encrypted encryption 

18 fnocess to the SPD. This process wiU have nmltiple applications and is refeii^ 
19 

20 Standard Decryption and or Dynamic Decryption and or Recursive Decryption and or Realtime Decryption, and or 

21 the Coco method may be used in any PSO in any combination deteimmed by the service provider. The service 

22 fTOvider may always supply the required inforaoatioa to ensure any chosen encryption process may be reversed in 

23 one or multiple traget SFDs. The invention allows for any known method ci encryption and or decryption m be used 

24 with any pan or all of the invention. 
25 

26 The eoayptioQ/decryixi(Bi ro^hods described pertain to communications between service provider and user. They 

27 are also qyplicable to the secure sUHBge cf information widun a UCDPS, inchiding the eiKryptian and storage <f 

28 various values in the UCDPS memory that are intermedjare and or finfll rwaiitg nf p mrj^egm^ 
29 

.30 The decryption and or encryption processes described for the invention may interact in any way with external 

31 processes arid the interaction may assist with said decryption and or said encryption. 
32 

33 The prefened security provided by an SFD is its function of decrypting and executing encrypted p i' ^ f w ? t s in secret 

34 and or decrypting and processing encrypted data in secret 
35 

36 The invention also altows for die decryption of information that is na securely 
37 

38 The mvention allows that d» SPD may be p r ogramm ed with one or nudtiple secure usa functions and any method 

39 and apparamsnuty be used to select die ciirrem secure user function. The system functions dxatperfcnn this itto are 
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1 neferencrri as system task switching functions and they allow that PSOs may be oo-iesident and or multitasking and 

2 said multitasking may occur alongside programs that do not require the use of the invention. 
3 

4 Ibe use of battery backed storage elements (and or other continuous functions, e.g. security mcnitmTig CPU) 

5 require a continuous supply of power to the device m the sbseact of system power. The invention allows for any 

6 method and aparatus to achieve this including die mtegration of a battery into the device and or an external battery 

7 together with suitably OKiaitoring and switching dicuitry. An A/D converter may be include b> detect changes to 

8 battery voltage for any reasoiL These are referenced as seoiTB system power nianagememft^^ 
9 

10 The invention as described permits: 

11 1) the secure transfer of encrypted infoimadoQ from an external source (including memory) using any method, to one 

12 or multiple secure locations within a system and or ESFD, and then (and or during) 

13 2) the use of any suitable combination of microcode and or hardware and or secure intenoal software routines and or 

14 data (that may be augmented by any other s of t w are routines and or data in any locattcHi) securely decodes this 

15 encrypted information and or stores the decoded (and or renoaining encrypted) information in a secure location 

16 (usually internal to the device, boweva it may include encrypted informati(Hi stored in suitable external locations), 

17 and then (and or during) 

18 3) the processing of sufCident informatioQ from the encrypted and or decrypted infomation (and or any other 

19 internal and or external infomuoion that is accessible; directly and or nxdirccdy) to enable the secure and secret use 

20 of sufQcient secret informanon that it is not practical to gain any useful benefit from any information that is in dear 

21 code and said dear code may be information that was never encrypted and or information that was encrypted and 

22 subsequently stored in unsecured locaticnis, and 

23 ifthe only reveniblefimctiGnallimitatiOQaiiplied to a software 0^^ 

24 as described for a secret processing device, permits the original software objea to be used as i^ 

25 this without revealing part or all of the native objea code constituting the software object, conditional upon ihe 

26 appropriate inforniation being induded within the SPD. 
27 

28 10. Automatic Reporting Facility. 

29 A major application of the SPD as it applies to the secure distributiCRi of software objects suitable for use on a 

30 UCDPS is to supply software objects that have been nxxlified such that dey must mteract with the SPD on a 

31 frequem enou^ basis* that the SPD may use diis tmexaction to record the usage of software objects, in a manner 

32 that direcdy and or oKlirBcdy equates to a inonetary vahie. These modified sc^tn^ 

33 described m this ipplicatiai and to distinguish them from other types of PSOibe^ 

34 Protected Software Objects or CPSO. A CFSO has some requirement for the exchange, directly or indirectly, of 

35 inoa^ for the use of the CPSO. Ibe usage of CFSOsinay be time and cr events based a^ 

36 preferred methods aUowunliniited use of these CPSOs as long as certain critei^ 
37 

38 As the SPD preferably does not require its host UCDPS to be attached to any remote device that may exert some 

39 fonn of control on the use of CFSOs and as in many instances CFSOs have no intrinsic limitation on their lifespans 
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1 and arc readily available at Utile or no cosu a me^ 

2 made. 
3 

4 T^invcmionaUovrefarihe.uscofCPSOswito 

5 andihis isusuaUy onthcbasis<rf<Hieornniltiplei«defi^ 

6 suitably adjusted as CKCte are used. When the prcdefii^ 

7 SPD preferably stops processing the a>SOs. The inv^ 

8 basis; the preferred inethod is to recjoirc prepayment for units. ^ 

9 limits on the use (rfCPSOs. however, this would usuaUy^^ 

10 prefer to have limits placed on what individual employees may spcn^ 

11 CPSOs. 
12 

13 llw preferred method of comrolling usage of CPSOs that pennit unrest 

14 SPD will record this use on any measured)le units of use basis, is to prevem to 

15 unless there issufficient electronic credh within the SPD and or accessible to the SPD. This clcctrtHiic credit may be 

16 stored in any form. The prefciTtdinethod stores one or multiple values in the SPD. 
17 

18 1 1. An SPD nay disable itself in pan or whote when any requiimemstha are ai^^ 

19 met. This includes when have been determmed as bdng xampmd with and or it is detennined that an 

20 unauthorised party is attempting to use software methods to compromise the SPD and or that there is physical 

21 tampering widi the SFD and or that various requirements for transfening infomiation accumulated by fee SPD 

22 ilirecUy and or indirectly have not been rnci and Iff that va^ 

23 keys required to activate one or multiirfePSOs have not been suppUe^ 
24 

25 12. M SPD that is disabled in part or whole niay be re^nabledm pari or whoteb^ 

26 of an appropriately configured and validated software object 
27 

28 13. PtocessmgofProtected Software Objects by SPD: Usmg any suitable s^ 

29 tl« SPD and or require loading ftom any external sources axidtha may require as 

30 PSO and or external resources, the SPD re^xnids to any suitable command generated by a software object 

31 recpcsiing access to any (mew multiple fimctiraiswitto 

32 software objea that has requested access to resources withm the Sro 

33 prepared to work in conhmction with the SFD and 

34 spcciaDy prepared is refctred to as a PSO. A PSO is preferably encrypts 

35 moitiplecncryptim processes. A PSO preferably mdndes embedded error and or validity ch^rk^^ infrn mptw. ^ 

36 this may use any ooe or muliii^ known methods. Ihe process of ensuri^ 

37 preferably indudes one or multiple error and vafidity checking processes and the decryption and or execution <f 

38 parts of the software object within the SFD. 
39 
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1 If the object is not acceptable, tbe SFD may take any course of action including rfiggWtng pan or all of the SFD, 

2 lepcffting an enor to the user using any m^hocU denying access with no report, and or any other action. An object 

3 may not be acceptable ks any reason inchiding that the object was not created for use with an SFD or that changes 

4 within tbe software objea have occuned. If the SFD receives a predetennined number and or types of errors it may 

5 decide thm&ese errors are iim legitimate and take any coonse of action to protM 

6 include granting no further access and or nxvalidation of part or all of the secure infonnatian within the SFD. Ihe 

7 conditions thai determine this course of action may be dynamically modified by the supply of an appropriate PSO. 
8 

9 If it is detennined that the software objea is a valid soicwm objea for use with the SFD, examination of any 

10 relevant pan c£ the software objea determines what action is required of the software object Said acticni may 

11 include perfonning further validity checking and or decryption and or any other actions as the PSO is processed in 

12 conjunction with the SFD. Protected software objects preferably hichide infonnation that identifies the type (f 

13 information that is inckided within tbe object, resources required of the SFD, information to assist validity and enor 

14 checking of the information, information to assist (tecryption c£ encrypted information and any other relevant 

15 information. Said any other relevant information may be anything consistent with the resources of the SFD because 

16 oiie feature of the SFD is its capabiUty of bemg securely updated to pezfonn any software 

17 the resources of the SFD. This updating may be dynamically performed by suj^lying the ^^xropriate one or multiple 

18 PSOs prior to sui^lying the PSO that will use the dynamically modified functicms. Said PSO that will use die 

19 dynamically modified functians may itself indude in pan or ^ole the infonnation to said dynamically nuxfify . 
20 

21 The following are die types of PSOs that an SFD suitable fcB' use in the protection and distribution of software 

22 objects preferably includes, however, functions for one type of PSO may be combmed in pan or iK^de widi any 

23 other <ffle or multqde PSO functions to create one (7 ixmhipleixuxedftmctianl^^ 
24 

25 Secure System Update PSO: these may modify tbe secure system functions cf the SFD using any mediod 

26 including data and or program instructions that are to be loaded to specific locations within secure system memory 

27 andortheyniaybepn>granisandordatathatistobeexecuiedtoperfonnooeQrinnltiplefi^^ 

28 metixxL This type of PSO is preferably heavily encrypted with mult^le checksums. When validated, required action 

29 isperfcnnedby theSFD, 
30 

31 b) Electrmic Credit PSO: this adds values to one or multiple non-volatile storage locations within the SFD. Said 

32 locati(His are preferably clear (and or any other predetermined values) when the SFD is sillied to a user for the first 

33 time. Said non<wlati]e storage is preferably flash niemory, described prm values preferably equate to a 

34 nmbercrf units of available credit f(7 use with various CPSOs and or any other reascm.^ 

35 be for prqaid credits and these are stored in a locatumdiat is preferably decremented as av^^ 

36 or diey may be for credits that are ntqaid and are e£fectivdy a cre&linutagaD^ 

37 distinguish prqmid credits from ux^doediL 
38 

39 c)Repon Verification PSO: diis verifies dial a particular repon generated previously byte 

40 by the STO. It is preferably specific to a panicular SFD in that unique information within the SFD is required to 
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1 correctiy validate and have ii pexfotm the requiitd functions. It may perfomi any one ormoUiplc fimctions, dinctly 

2 and or indiiec^y within the SPD. It usually resets any testrioions within the SPD that art awaiting receipt of the 

3 Tvpon veiificatiGa FSO and may do this in any way. It also usually programs the relevant locaiians with a new 

4 reportingintervalandorinodifiesinany way any part or aU of the report generatx^ 
5 

6 d)CPOasiHeviouslydescrihed. 
7 

5 PneparatiQn of a Protected Software ObjecL- 

9 It is one objea of the present uivemicm to provide a method and apparatus for distri^ 

10 producer to potemial users sudi that a user nuy make as many legal and <K illegal 

11 distribute them as widely as toey wish, however, any user executing the software objea must remmwate ihe 

12 producer and or service povider of the software object, cff^ 

13 achieve this is to convert the original software objea to a version that is modified to a PSO that is usually still 

14 cap^le of potcntiaUy running on many UCDPSs, however, those UCDPSs must be cquiRjed with a Protected CPU, 

15 and for any particular PCPUiha the PSO is to operate in conjunction with must m 

16 to the PSO. This may or may not require intervention by the user. In following description a reference to PCPU also 

17 apples to ESFDs. Ihe preferred method allows the user unlimited use of PSOs contingent on them having suffidoit 

18 electrcmic credit within and securely accessible by the PCPU The conversira from a software object to a PSO 

19 preferably occurs in a secure locaticm. 
20 

21 Ob\eci Support Informatktn; 
22 

23 One step in die creation of a PSO is to take a software objea from the pnxl^ 

24 objea and create Objea Support MoimatiOQ (or OSI) that provider 

25 PSO. Ibe acmal creation of the OSI is usually a co-operative process between tije producer and service provida, 

26 however, any operations that require the use of mfonnation within the secure system meouRy of a PCPU would 

27 usually be restricted to die service provider. The OSI is usuaUy placed near die start of tiK pro 

28 be located anywhere fliroughout the program as long as it is arranged tai a sequence aoceptehifttn tiw ptptt ths^t 

29 process it, and or the PSO includes various information tiuu may pecmancsxtiy and or tempotBrily modify Ux PCPU 

30 such that it can locate and use the OSL To protea die information in OSI firom tampering, part or all may be 

31 encrypted, and or may have various check sums diat are prefembly secure and or eooypted themseh^ 

32 may be provided in part or ¥^le as a setarate trogramfs) and or as part of one nr nmertherpmgnimc tw may 

33 already be presctu in die PCPU and or any odier medKxL If ttie OSI is widtin separate modules and rrtnwrinc 

34 infonnation diat die producer does not warn deleted, diere should be a suitably secure cross reference in die mam 

35 pan of die PSO to check for die presence cf indcpcndem modules and valid data widiiiL The irefcntd wtih^inwit 

36 inchides all inftHmaticm widiin tbc body of die primary sitftware objea cme or multiple modules of die primary 

37 software object. The actual method to eocrypt and decrypt infonoiaticm may use any known method and any number 

38 of levels and any cotnbniation of methods. Tbt OSI is a description of certain functions diat may be required, and 

39 dieyinay be ioxplememed using any known mediod and structure. The abiUty to program 
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1 tbe target PCPU enables any new smicture to be created by supplying a suitable PSO compatible with existing 

2 structures. 
3 

4 Jhft fnUowiniT is fl Tion-€Tclu give list of crrp^wnrnw that mav be found in QSI: 
5 

6 Detectian of Ptesence of a PCPU: this is usually executed tmmfriiniply after the start of PSO execution. Should a 

7 PSO attempt to execute in an environment without a PCPU one or multiple adverse outcomes may result, for 

8 exanyle the hard drive may be modified, 

9 The preferred embodiments of a PCPU allow access to the secure memory by the execution of various special 

10 instructions. As these insiruciicns do not exist to a nonnal CPU, their execution in this environment may cause 

11 problems. The preferred method of ensuring that PSOs arc oily used in a UCDPS that has an j^ipiupriatc PCPU 

12 are:- 
13 

14 Common instruction trigger a sequence of instructions that are cotnmon to a PCPU 

15 fxmiffM such that a certain combmation triggers various events in the secure parts of the PCPU. The following 

16 exanq}le shows one altemative:- 

17 protected software loaded into memory 

18 execution commences at a particular location that executes toee no operation (NOP) mstructions in sequence, 

19 foUowed by a branch to the next instniction that may be the Stan of three inoreNOPs(^ 

20 permutation of suitable instructions may be used) 

21 the instruction following this is a branch to a routine to tcrrninate execution 0^ 

22 a CPU that is not a PCPU wiU execute these instructions and quickly termirmt^ 

23 a PCPU will have the facility to recognise the particular sequence of mstructions, this ttiggers internal routines © 

24 mocKfy the data in the teanch insmiction and <ff redirecis external execution to a particular location that enables 

25 continued procesang of the PSO. 

26 This process is transparem to the operating system. 

27 

28 OT'^^TTg ^ flvmlAhilitv of Tesomces: 

29 If die PSO is to execute in a nT"'*^>«gi"»g environment where multiple tasks are amcurtemly executed cm a time 

30 sliced basis, it is possible that tiiePOV has a limited number of PSa 

31 to execute a routine to detcnnine the availaWUty PCPU resources and any relevant infmnation tiiat the PSO 

32 requires to coxnmmucate with those resources; this infotniatira may be a^ 

33 task number, and <ff an address or block of addresses the PSO should use u> communicate with the PCPU, fa 

34 example the user oanmand and data ports 199 in Rgure 4, and or the amo^ 

35 the PSO and or any other taformation. This process may also invoWc the PSO providmg the PCPU with ccrtam 

36 infarmatioiL In the case (rf the PCPU described widirefi^^ 

37 usuaUy be via the noiirinaied addresses constimting the System Cominand arid Data P^ 

38 

39 Should the PSO curremly be unable «> use ti« PCPU it can take any known course of action, the commonest of 

40 which may include entering a delay routine and trying again later, an ^ 
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1 tolhisinthcopOTimgsyicm,wiihorwitt^ 

2 override the opcraiing system ami a 

3 may include progxam tenninaticm, with or without a message. 
4 

5 A PSO preferably checks various information cunmly resident within the secure system memmy of the PCPU f<r 

6 the presence of certain functions withm the system memory and that they are a version suitable for use by the PSO. 

7 This is usuaUyconfimied by checking that tecunent version 

8 particular PSO. however, it may use any method ShouW certain fimct^ 

9 PSO may be flipped with certain update mfOTmaiion inchided as pan of the PSO and or with othg PSfVa thijywi 

10 with the PSO, and that a PSO niayautomaticaUy and or m the users direction, up^ 

11 to cuirem mfoimation and may suitably adjust the veision number, and that this may be a ten^trwgry ftKxjificatiOTi 

12 for the duraticm of execution of the PSO and or a semi-peraMnem and pcrmancm change. Should the system 

13 functions not be able to be updated for any reason, thePSOwouldusually terminate with a request for the user to 

14 arrange for the necessary changes to system fimctions, however, it may take 
15 

16 CondjriQnsofUser 
17 

18 As PSOs may need to idemify to the PCPU the producer of the PSO (e,g. to 

19 umquevendorkJentitycodemaybeinchidedinthcPSOinapositjOT 

20 by the PCPU. TOs code is usually consistent on each product from the producer. The inventkm aUows to this 

21 method or any other to diffexcmiaie PSOs that are primarily commcicial objects from those that provide various 

22 suppOTt functions. 
23 

24 To differentiate a particular program from others by the sanie producer a unique 

25 usuaUy included in the PSO in a known location and or any other way that can be detennmed by the PCPU. Ttts 

26 may be unique amongst products from the same producer, however, it may be kleniical to another produa by 

27 another producer. TTiis code may be finihcr used to categorise a particu^ 

28 the program as a game or a won^TO«ssor, etc., and this would usuaUy be comrn^ 

29 may identify the version number and the balance may be used to ensure ihm 

30 tha producer. Any other relevam information may also be included in the code. The invention allows that the 

31 various sub-paits of infcHmaiioninchided in this code may in pm or wh^ 
32 

33 TlieinvemionaUows that the billing to the use ofa PSO may use infotmatiOTi^^ 

34 fdlowing farfonnatim may be located where the PCPU and or any other flpplicnhtg t^r^ji nr m ^niiTP ff ffl" ^rtntify 

35 it: 
36 

37 Currency Identifier • this indicates the currency in which the producer of the PSO i& tn he pairt Tr ig wimni y nt^^ ^ 

38 the service provider, however, it may be used for any reason. 
39 
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1 Personal User Device Valid - this imBg^teg whether this PSO may be used with a Persooal Software C^d. This is a 

2 device descxibed in nnnthnr application that lets the users of one UCDPS temporarily or permaoently port various 

3 access and billing to another UCDPS. 
4 

5 Timed Basic Qiarge (or TBQ- is the imit rate fcH- use of the producLT^ 

6 time interval may be used.It is anticipated that users will ultimately determine the type of billing they want* and it 

7 will probably be based on a time used basis associated with certain frequency discounts and possibly a cut off poim 

8 at which ^sm are no additional charges. The charge rate is usually in tenns of a standard unit - fior example it may 

9 be US DnilflTS, Whatever standflrd rate is chnstn in «nift11y gr^ffnfi^ WTW PSOf Thf> tnumtifm allows that any 

10 amoum in any currency may be used. The inventton also allows that the TBC for various countries may be different, 

11 for example to allow for different econtHnic conditions. Any particular PSO may itirinrfft the entire set of TBCs for 

12 all countries or only a subset The TBC may be available to all regionals. Ihe invention allows that a discoum 

13 schedule may s^ly to the TBC for increasing use or whatever reason, aiul that this may vary from one region to 

14 anothervand this discount schedule may be stored in the PSO. Further discooiuing may for differem types cf 

15 users, e.g. govenmient, education, business and part or all of this mfonnation may be stored in a PSO. Various 

16 vendors may wish to cSer various discounts for existing customers when an itpdated version of their product is 

17 released and or when a new produa is released and these may be stored in a PSO. 
18 

19 The PSO usually indtides one or inultiple transaction processing codes to indicate the type 

20 This txiay vary from region to region and eadi PSO may have a list thaiiududesQs^ 

21 countriesorany subset For any particular coumry, there may be diffeiem codes for diffeiem eg,govemmcm 

22 users may be billed using a (fiffierent method to business, and the ocsnbinations used may vary from one region to 

23 another. 

24 While not an exclusive list^ the following are the more common types nf t ranjcae rifin prwrfttgnig c^eS'- 

25 a) TliePSOinay be distributed mnoziiittal cost, with the customer payiiig fcrtinieuse^ 

26 b) The PSO may be distributed at nominal cost with the customer paying for time used, however, a rfata 

27 key (at no cost) is required to activate the program. 

28 c) The PSO may he distributed at nnmirml oost^ with the cimo?ppf payng for timg used, hpwpvfr, a data 

29 key is required to activate the program and Aere is a charge for the key; this charge may be located m 

30 the relevant faed basic charge field* 

31 d) The PSO m^ be distributed at nominal cost however, a data key is required to activtte the p^ 

32 and there is a charge for the key, however, tere are no continuing charges. 

33 e) The PSQ i& cniy inipplied on mseipt of paymmt, mih nfMiriongl rh^wt ffw fm>#> A iTy 

34 required to activate the program. 

35. f) The PSQ is only SU|yiiBd cm receipt of payment^ hnwevgr, thm am nn artriitiiYng! rt>arp> 

36 

37 ThePSOmaybeonethatisgenerictonmltiplePCPUsoTcustcmiisedmaparticu^ 
38 

39 Event Basic Charge (or EBQ- die invention allows that usage of software niay be ba^ 

40 muxram is Opened and or any other event based merhnrtism. The Event Based Charge is the nnit rat^ far ^his mMhod 
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1 of billing. All of the optiaDS and or discounts and or leqmicmems described for TBC above sppty for Event Based 

2 CSiarge and will not be repea t ed, however, the various combinations and particular options used may vary from the 

3 TBC in any way. 
4 

5 Fixed Basic Charge (or FBC) - this is a fixed charge to use die software and may be a one off charge that 

6 subsequently permits unlimited access on that UCDPS or a diarge that gran^ 

7 using any combinaticm of the previous methods. All of the qstions and or discounts and or lequiianems described 

8 for TBC above may be applicable for Fixed Basic Charges, however, the various combinations and particular 

9 optioQSusedmayvary framTBCinany way. 
10 

11 Transaction processing codes may be ccm^ructed to detail any combination of billing processes and discounts and 

12 anything else. 
13 

14 Tbe ability to distribute software in massive quantities with very low vptm, costs to the user may provide 

15 significam changes to the methods of marketing and advertising softw^ 

16 the user free car discounted access to various products, particularly new products. This may include various 

17 iromoiional schedule codes (PSQ within the PSO, that may be designed to achieve any outcome that is pcraiitted 

18 by the PCPU, thai the PSO executes on, and this may include codes representing anything to do with promoting any 

19 son of product usiiig any known method, includmg:- 

20 • a list of discounts and the time they apfiy may be included within the PSO, and they may be multiple. The 

21 discounts may be any value, and may result mfiree software for variable periods of time. The fodlity even exists 

22 for a producer U) pay a user to try their product Particular pramotjons may havR a nse by rfatft flnarbffl to ?>*fT P 

23 • Another approach may be to generate a random number in tte VCPU each time a prngram ig mi tinre^ ^mmy 

24 other basis. If this matches a. code in the PSO, then various free program time may be provided on the cuirmt 

25 PSO and or another pr ogi am by the producer and or various prizes may be given away . 

26 • The software may also be made available to a potential user with part of its funcdo^ 

27 a nominal charge applied to the use of this partially disabled program. This may be particulariy useful Ux 

28 progranu that inay take time to assess, for example a iwwaccountmg program, 

29 want to fully assess the package prior to committtng to a diangeover from an exisdng system. The activation to 

30 afuDy operational system may require a key (diatinay or niay not have a charge) 

31 execute a iHDgr&m that izutiates time and or evem based billixig, or any othff 
32 

33 The information to perform any promodonal fnncdon may be znchtded in part or ^^le within the PSO, however, it 

34 would usually rely in pan or whole oo secret processes within the PCPU m prevent imauthnriR«i manipp ifltion of ftift 

35 promonons. 
36 

37 Cenam software imxlucts may be unsuitable fen- use by particular groups. For example, cenain countries may be 

38 restricted tern using software because of security concerns and or because it nay offend certain cultures and or 

39 other software may be unsuitable for children and or it may be restricted to certain professions and or it may be 
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1 restricted to use at ccnain times imd or for any other rea^ 

2 and may be indutfcri in a particular 1^0 to limit access to various categories of iiser. 
3 

4 Any information included in a particular OSI may become obsolete and this may be a particular poblcm with prices 

5 and discounts. Any infomiadon contained in a OSI may be replaced in part or vAiol^ with other more readily 

6 updated infamiation stored in aiiy suitable location; this may indude locations wit^ 

7 stored on one or multiple mass storage devices, and or distributed with other PSOs, and or distributed as part of 

8 codes suited to usen to update PCFUaedits and or any other reason, and or any och^ 

9 subjea to the overall control of the service provider vfto can vary the actual amount charged to any particular user. 
10 The billing process is described later in this qjplicaiioaL 

II 

12 Part cr all of the information within the OSI is usually reliam co known information within the secure system 

1 3 memory of the PCFU to conectly interpret and ct execute the various functions, however, as pan or all of this PCPU 

14 memoiy may be reprogrammed by suitably encrypted extemal infcHmation, part or aU of \Mch may be included 

15 within the PSO, the specific requirements of a particular PSO may be met by dynamically modifying part or all of 

16 the secure system memory. Additional flexibility may be gained by loading any required part of the PSO into secure 

17 user memory for eiiecution. Although various functions have been detailed for the OSI, in practice a nmlttplicity cf 

18 ^)ecial fimctiotis may be induded and these may occur during any part of the execu^ 
19 

20 Mcfliod IQ update the PCFU: 

21 Another step in the preparation of a PSO may be to indude in the PSO various routines and data that will execute 

22 automatically and or under user control to update various inf onnaticm on the UCDPS fcs any reason and may 

23 include:- 

24 • update the secure system menxvy 

25 • update various files stored on a UCDPS that contain various billmgiiifonnatiQn and or di^^ 

26 promotions and or any other infcnnation. 

27 These update functions may be inchided as part of the actual PSO and as pan of one or more other PSOs. These 

28 other PSOs may be created qiecifically for the purpose arul or may be parts of other PSO appUcadons. These other 

29 PSOs may be supplied to the user with the said actual PSO and ac may be supplied separate) y . 
30 

31 Error and Validity Cbcdang; 

32 A PSO, and the PCFU with ^ch it is to operate, are provided with a number of secure wifrhpni^Tf to protect 

33 against mwuthorised analysis of informadon stged withfaL As fliere may be considerable financial gain to any party 

34 that manages to c ompiDii i i se the security cf cither, it is anticipated that a number of attempts will be made to 

35 compromise the securiqr of Ixsh, and one method may be aimed at dianging various parts the PSO in an attempt 

36 to analyse the various outpamfts. In order to pruea against ifais and also to detea genuine enors in the PSO, it is 

37 usual to use one or more emv and or vaMty checking processes on infcmnationwitfa^ 

38 any known method and a^qarams, and these may be (tepemtot to part or whole on functions widain the PCPU, that 

39 mayxndnde:- 

40 • routines within system menoory, and or 
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1 • various alRoritfams implemented in hardware within thp. ptpt t, nnri nr 

2 • routines loaded frmn external sources (usuaUv. in part or whole, menoypttti fnnnflr), imrf nr 

3 • loaded frxxn the PSO(usaaUy, in pan cr whole, in enoyptedfomia^ 

4 • any other source 

5 The encT checking and validity rhprVin g is a process that usually occurs in total secrecy at both tmt\^ with flic 

6 service provider flse only party that knows the process. The service provider is aware of the processes available m 

7 any particular PCPU to exiraa and validate any parity infOTnation and or CRC inforaiaiioo ami or any xOar 

8 infonnatioa, and die no^tbod used to take die actual code of die PSO and generate die cxpocted parity mformation 

9 and CRC infonnatkm and any other infosmation. and the mediods to detennine wheflier or not the expected 

10 infomuuion matches die extracted information. Ihe service provider can take a PSO at any stage or stages in the 

11 conversion process from software objca to PSO and analyse die information and add and or change data in such a 

12 toanner that the outconte when run dirough die ennr and validity cfaecddng pr 

13 crrarB.Sh(mldonccrnMdtiplcpariscf diePSObe<±angedbyanunaudior^ 

14 checking process in die PCPU wiUdetca die niodiflcations and inaytate 

15 described later. If die service provider prepares a PSO for errtff and vahdi^ 

16 protocol prqrogrammedhito die PCPU» there may be no need fcff any odiCT 

17 however, if die service provider follows a variable pattern and or non-aandBiri prfx^tsM thwi iKMitimial information 

18 may need to be included widiin die PSO to permit conea analysis at die odier end. and diis may use any known 

19 mediod. As part waU of die PSO wiUusuaUy be subsequemly encrypted, tiiere is no pt^^ 

20 analyas of die PSO to even him m which ^jparendy meaningless data is part of erw 

21 encrypted informadon. Furdieraiotc, die enw/validiiy checking Furdiemiare 

22 die system usually only needs to work in one dxrecdcm - provider to user, although some processes may need to be 

23 included widiin die PCPU to generate enor and or validity checks on informadon diat is to be stored m encrypted 

24 formm in external Tesoun:es(diese are discussed m more detail in die appUcadoD^ 

25 inxinba of error detecdOQ and validity checking processes may be ai^Hed and di^ 

26 of die enoypdon process. The snvennon also allows dm cnor and or validity checkn^ 

27 all of the PSO widi die actual mcdiod to reverse diis included widiin die PSO, and as long as part or all of die 

28 mediod to levene is encrypted and die reversal process occurs in searecy,diere is 110 means of r 

29 die process, and die actual nrothods and or apparams used mgy be my knmimf^ 
30 

31 Encrvnrinn of die mformation to create the Protected Snft ware nhj grtr 

32 The final step hi die creadcm of a PSO is die converaon of die software object m mppiied hy th^ pm^^i^ tn^ Mhirr 

33 widi any ad d ition a l hiformadon as previously discussed to a protected pn^gram dmt pnvkles die security agamst 

34 illegal use of de program. By encrypting die PSO using any known encrypdon mediod and any combniadon <f 

35 known encryption methods, inriu d mg die processes described previously, die software dbjea is converted to a PSO 

36 dial in pan or whole may only be executed fauenial to an apjHopriatc PCPU, The s^ 

37 one and or mdt^ile levels of con^lexity.llie software objea is 

38 encryption, vdiat mediod or mediods of encrypdon should be (^Ued and a^ 

39 to support diese m^hods. The actual arrangemcm of nrfonnadon widiin aixy part of die PSO to cffea various 
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1 outcomes will be highly variable with the exoeptiCQ of oenain functions fixed by a particular PCFU» and as the 

2 present invention allows for the provider supplied PSO to be flexiUe and the iimctions within a particular PCFU to 

3 be programmed in a multiplicity of ways, the various combinations bp(1 pennutations to achieve the anm^ 

outcome 

4 are obvious. OQce the specific requircmems and one method of achieving dnsa^ 
5 

6 Crediting funds into a PCPUfand or othCTPCPLH: 

7 The present imrention allows that a part of the secure system menoory of a PCPU may be securely programmed with 

8 information that indicates an amount of credit (using any method end or currency) that may be (&tL against 

9 software usage (and or any other applicable uses). Various secure locadons within the PCFU within a pardcular 

10 UCDPS may contain codes that are unique to that particular PCPU and these codes are usually secret A particular 

11 PCPU usually has a publidy accessible electronic signamre that can be used to identify a particolar UC3)PS. A 

12 particular PCPU may also have other characteristics that are unique to a particular PCPU. fcr example; particular 

13 software routines and or encryptioz^deciypticEi processes and or any odier i^licable variation. Because of the secure 

14 nature of infortnaticni contained within a PCPU, it is preferable that conversion of a software object imo a PSO is 

15 performed by a service provider, and that the actual information withm PCPUs is mnmramp^ in a secure 

16 environment When a UCDPS is initially shipped to a customer, it is likely that the PCPU has no credit vahie 

17 programmed within and may not be activated to execute PSOs. Tlie process of activating a particular PCPU may be 

18 accomplished by any mediod and apparams, including: 

19 1) Ibe user contacts a service provider (using any method, the iiu>st convenient usually being via a modem) and 

20 supplies the service provider with the serial number of the PCPU, the amoum of credit required, and payment details 

21 (that is preferably a credit card payment) that may use any known method. 

22 2) Using kiKTwn detmls about various infomoation withm that particular PCPU, the service provider uses the 

23 requested amount of credit and encrypts this amount using any known mediod and apparatus (and an experienced 

24 perscm should be able to devise muMpletechiuques based m the encrypti(m/^^ 

25 Tb& encryption process that may use any information (tnduding time and or rfat^- and or any other unique and or 

26 global informaticm within the PCFU and or that may be securely tninsf^ 

27 in c l udi n g those described in this application) to generates a one tiirie code that inay be decrypted within the PCPU. 

28 3) The one time code is transferred to the user of the PCPU and entered into the conqxiter. Ibe code is decrypted, 

29 an enor is generated, the user may be advised. Once the amount is confnmed the nominated credit is pro gramm ed 

30 into any appropriate secure xion^volatile location izueinal to the PCFU that cannm be tainpe^ 

31 4) Hus process may activate the PCPU if required, however, the preferred determinant as to wb&iba (7 na a 

32 particular PCFU wiU execute one or nmltiplePSOs is based on die anuim of a^ 

33 5) The available credit is prpgressivdy decremented as various PSOs are used, and the present itrvention allows far 

34 any method arida^^mrams for Inllmg for PSO use. 

35 6) Software usage ofvarious software objects niay be logged. lUs is described 1^ 

36 7) When the crec&t anioum is decrenoented to a pccdetennined amoum (and said predetern^ 

37 service provider and or the user) the user is advised that additional credit will be required shortly. Ibe method of 

38 advising the user of an imn i inmt shonage of credit may use any medKxl and or apparatus, however, as the piogium s 

39 that implement this process are preferably execnting in part or whole from within secure memory i Titff^^^ to the 

40 PCPU, the facility exists to generate an internal interrupt and jump to an app r opri ate internal and or external 
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1 program. This may ocOT at any lin^ 

2 tranaparau© the operating sy 

3 ^Jparatns)fbxiheuscriogeneiateacuncmrqxmofava^ 

4 8)Fortfaesecondandsuhscqiiemooniactswithaservia 

5 addidcm to providing the service provider with the electronic signamrc of their PCPU, the user wiU usoaUy be 

6 required to advise the scnricc provider a code (that is securely generated withm the PCPU using any known 

7 niethodaml apparatus withm the PCPU) thai may iixlude cunm i^ 

8 zero) and may indudeinfarmaiion<n the usage of part or aUsoft^ 

9 9) Step 2 is repeated, however, in addition to credit infomxation. the code 

10 cnoypted message that infonns one or multiple routines within the PCPU that infonnaiion penaining to software 

11 objea use has been received by the service provider. Storage locati 

12 cleared. 
13 

14 "niepreseminveniicmaUows thai although the iTOcess as des^ 

15 also compatible with the provision of credit within the PCPU on aw 

16 amoum allocated woddusuaUy be sufficiem to cover ©qwctedu^^ 

17 bill the user may be calculated by subtracting the amoum of credit icmaintog fran the amoum supplied in the 

18 previous period and or any other method and apparatus. 
19 

20 A user ttendlymemi system may be used to assist pari or an of the process described above. 
21 

22 Monitoring the use of pmrgcted software nhjurts; 

23 The presem invention aUows fOT any lawwn inethod an^ ^jpaiams thai can monitor and «• recortl the usage cf 

24 PSQs (and or software objects), and preferably one that is ccmipatible widi multiiaskiAg programs in a single 

25 P«x«ssor and <ff multiprocessor environment, and preferably one thm p^ 

26 operaiestopartorwholemxmwithinaPCPUandoranyoiherSPD.whcntheUC^ 

27 OT'rtienindcpendem and connected to a network and or wtoin^ 

28 itsc<Hreafimctioning.andorwhcnthcUCDPSisdcpendcminpartcrwh^ oncamectiontoaneiwork.andoris 

29 dq)endem in pan oriole on connection to the faicmet (or similar). In a single task UCDPS the SPD usualy starts 

30 reanding usage when activated and termini 

31 cnviiramcm vtoe usage is timed is to generate an internal hacrrupt withhi secure micioproccssOT cm a periodic 

32 basis, and said interrupt activates a rmitine within intenud secure memc^ 

33 cownier of tfie system nriaoproccss<» at the time of die interrupt an^ 

34 ti«reO to determines wWch program was executing during the intennpt.Tlic^ 

35 and wpernrntation and or wdghting for usage erf any one or multiple 

36 ocujienccs of flie measured evcm in single and multitasking Ua)PS. The u^ 

37 «■ whole wl&m secure imenalnaemory, however, die imrentionaUows^ 

38 of PSOf may be encrypted and stared external to die PCPU and or UCDPS. It is preferable to keep in ffirs^t 

39 infonnation on PSO use intenwl to the device, in order that a softwOT 

40 the cvcm tiiat external storage of das information is corrupted, in which case while fljcre may be no detailed 
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1 breakdown of transactions, the vendor is concctly rcmuneraied. The af oreniem ioped processes are transparent to the 

2 operating system. An alteniative nan transparent method is to have the npgwu in g system perfonn various routines 

3 during task switching that may activate various processes within the secure internal memory to leoord Hf>rfli]g about 

4 program execution. Monnation on program usage is usually maintained in secure non-volatile storage locations 

5 internal to the SPD. The invemion allows chat a report on software usage may be prq»red (usually in enoypted 

6 f cnn, using any method and qf^saratus) for transmission to a service provider and or any other authmised paity cm a 

7 periodic basis, that may be any period and may be fixed and or variable; this report is usually generated by secure 

8 routines wi thin one or more PCPUs from information that may be internal and or ex temal to the PCFIJ. 
9 

10 OmtrDlling execution fand or anv oAerprpcessinp^ of prote cted software objects: 

11 One objective of the invemion is to provide a method and apparatus that may be used to protect software objects in a 

12 manner that does iu>t restrict the copying of the PSO and that in the preferred scenario, would provide at nominal 

13 cost, a copy of that particular software objea to any user of a UCDPS requiring it. An c^nimal situaticm would be the 

14 collation of all PSOs suitable for use with a particular type of UCDPS onto a coUectian of CD ROMs that may be 

15 supplied to users at nominal cost Update CD ROMs may be made available on a periodic basis. The invention 

16 allows for PSOs to be siqiplied on any medium and this may include access to a database (tf PSOs via the Internet. 

17 The capacity of a SPD to decrypt externally supplied information in a secure mimnffr that may include realtime 

18 decryption and decryption using software routines within internal secure memoiy (that may be supported by 

19 hardware decryption engines) together with the method and apparatus to securely encrypt information for transfer to 

20 a service provider (or any other appropriate external party), pnyvides a sectire and flex& 

21 the use ofa PSO using multiple Qiethods and the invention aUows for aU(^ these* At soznepo^ 

22 a PSO, and usuaUy at the oomrnenceinent, the SPD may requires certain infornsation &^ 

23 detennining the type of protection system ^^ilied to the PSO, for example, certain data (or any other method) may 

24 be extracted from the PSO to inform the SFD that this particular PSO may be mtmited on a time used basts and 

25 v^ietfaer or not this is lirdced to tbc availability of credit within the SPD. Information oo the vendor and or the 

26 product code of the PSO and usually the amoum to change for a urut of execution time may then be required (and 

27 this hifooiuaioninay be required to any (XherpnKection systeins). One source 0^ 

28 and this information may be extracted by die SPD, using arty method axtd Bppaiam, The usual process extracts 

29 (usirig any method and appatanis) the vendor and prodna code fiom encrypted parts of the PSO ^ within 

30 secure memory intemal to the SPD. The cost of executing (and or any other processing) the PSO on a time and or 

31 evem basis and or any other basis is exnacted&om the PSO where iqpplicable.Whe^ 

32 right to execute a particular program, the SPD grams a generic right to execute as long as oertam internal and or 

33 extemal generic codes match the requirements of one or multiple PSOs. The hn^ention allows tiiat mformation 

34 coEntatned within a PSO may not be current as regards execution costs (and or any other information) and provides 

35 for any m^hod and apparatus to compensate for this, with the piefai c d method being die provisicm of one or 

36 multiple files located on a suitable mass storage device «T^fhffi directly and or indirectiy to the UCDPS, wititi said 

37 files refierenoed in this rinrrnnrnt as Conem Data Files (or CDF). CDF may be updated as required using any 

38 medMd and eppsaanm (mfihidtng gutomatic update tuang wrfnfmflriftn rrmtprnM \n iwly t^t^ocpH V^r^) Acontnt 

39 data file may contain any mfdrntation, and niay replace part at least of d^ 

40 inchide details of die costs associated widi orrwiring PSOs (dtatmay be alU or a subset of, the available PSOs), and 
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1 this may include infonnaiicii en disconms for frequency and or quantity and <ff special gnnq» and or special 

2 pmnotions and or ai^ other informaiion. A CDF nmy have a creation date and or one or multiple blocks <f 

3 infonnaiicn pertaining to one or multiple PSOs may include the date (or any other method and apparams to efifea 

4 an cquivalcmrcsuU) said tafoimaiion pertaining, became valid. When a PSO Is created, the date of aeaiion (and tr 

5 any other method and apparams to efifea an equivalent result) is usually n»luded withm the PSO and when a PSO 

6 is processed, the date within the PSO m^ be cwnpared to that within the CDF (if presem), with the more recent 

7 inforniaiion preferably used. The information within a CDF is prc^^ 

8 inchiding protection against tampering with the infOTmaiion. Various validity checks may be perfonned v/hsn 

9 faifoimati0n within a CDF is loaded and <ff used (this may be fw any reason inctadtog detecting unauthorised 

10 alteratims to the information). When an SPD generates a iqwrt for the senricc provide- (or any other 

11 party) it may iiKAide information on the currmcy of information^ 

12 CDF, and or the acation dates of the PSOs executed. It nuy be that a user knows that ac^ 

13 the SPD may result in inaeased costs to the user than wodd be incurred, by referent 

14 the actual PSO, and said user may be rehictani to update their currem CDF and or may delete the CDF (the 

15 invention aUows that the presence of at least cHie CDF is required). The invention allows for any method and 

16 apparams that may be used to circumvent this potential problem, indudmgte 

17 reflect currem charges (or any other reason). 
IB 

19 The prefoied protection system is applicable to PSOs that are permitted to operate within a UCDPS on an 

20 unrestricted basis, as long as certain criteria are met: 

21 • the PCPU and or any other PCPU has suffidcni credit pognunmed into the device (usmg any method and 

22 appsrams) to cover the costs iiicurred by the user in executing the PSO, and or 

23 • the use of each PSO is logged and this may be time based and or cvcm based ami or any other m 

24 apparams that requires periodic reports on software use and or any other information to be provided to an 

25 appropriate extemal party. 
26 

27 The invention aUows that PSOs may be used on a time and or events basis and that this may req^ 

28 <tfaedit within the SPD and or may not require the availabiUty of said credit, in 

29 be billed for use of software after providing a periodic report to tiie service provider. As the PSO is used, the 

30 approiffiate units of usage (that may be time and or monetary and or any other token) ate progiessivdy adjusted 

31 against a particular vendor,fl?rodua code (and or any o&crinethod).Wto 

32 inflssodati m wifli die use of one or mnltyle PSOs, die anwum of availaMe credit to tte user i^ 

33 <«dii units widiin a SPD may represem any token and or cunm^, using any n 

34 method and apparatus to secozeley store this information and this may be internal and or extonal to the SFD. A 

35 number rf method steps were described eariier for transferring aedit m a partirMlar SPn, «th< « «mi y ninhnH « 

36 tiscd for supplynig a service provider with tafdrmationabou^ 

37 Sro that this infonnation has been received, and that ftmhcr use of PSOs ma^ 

38 and apparatus is allowed for. Ite PSOs tha require die availabiUi^ 

39 a user may be required to provide a rqm when available credit within the SPD is zero and or some other 

40 predetcratined amoom and or the user may be required lo report hiformaticni to die senrice provida on a periodic 
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1 basis, and said periodic basis may be any period and it may be varied by the service provider, and or the user may be 

2 required to xepm to the service provider ^en a certain number of evenis have occurred, ihat may be any 

3 ocanbinaticm of events, induding Ae number of times ooe or multiple PSOs have been used, and or a user may be 

4 requiredtoprovideareporttoany authorised party for any reason; those PSOs that do not require the presence cf 

5 available credit within the SFD may share any of the reporting requirements discussed, however, tiiey usually are 

6 independent as to the state of credit within the SPD. In practice amixcf methods may be used and a periodic report 

7 may be required. When a report is required on a periodic basis, a secure battery backed realtime clodc/cakndar is 

8 the preferred source of determining (in oonjunction with predetermined and or otherwise inf armation on the time 

9 intervals to be used) ^fhea the relevant time interval has occurred. When available credit expires and or a cenain 

10 dateandortimeisreachedaitdoracertainnumber of events and or type of events have occurred, pan or aU 

11 functicHis of the SFD may be disabled. 

12 Whatever the trigger poiitt for requirmg the user to supply the service provider with a rcpon generated by secure 

1 3 methods within and or in conj unction with the SFD, the method steps to sappXy sai d repon and to reactivate the SPD 

14 for further use may use any method and apparatus, inchxXhig: 

15 1) When the SPD detennines that iiuemal and or external mformatian is due for reporting to a service provider, any 

16 method may be used to alert the user, aixd one pief en ed method uses the ability of the PCPU to caU routines 

17 transparentiy to the operating system by having the secure ndcroprocessor DMA information to display memory and 

18 this facility may be used to overlay a message on the display device of the UCDPS advising them to execute a 

1 9 program that will generate a report and this is pref erabi y at die start of a processing session. 

20 2) The report genemor is executed and this stay display a inenu based system to assist the 

21 If information is to be transnutted to the service provider via a modem and any return information received by the 

22 same metiiod then the process may be fiilly ainnniarrri and transparent to the user. The invention allows for any 

23 inetbod and apparatus that assists the user with the process. The rqmgetieratorusuaUyiri^ 

24 SPD that collate and encrypt the infomtatioa to be supplied to the service provider, with the information usually 

25 including one or multiple unique identity codes for a particular SPD, and this may and or may not be encrypted. The 

26 repon would usually be integrated witii any information to be suited to a service provider as regards credit 

27 remaining withm a SFD. 

28 3) The user contacts a service provider (usmg any method, the most conveniem usually being via a modem) and 

29 sullies the service provider with the information generated by the jcpm generator. As mcnticmed, if using a 

30 nu)demthispnxxs5mayhaveQUttimaliiserxmBrvention.IfanK)^^ 

3 1 any method, inchufing as a file on a diskette and or tbt information may be read over a tdepbm (this may be verbal 

32 or use the numeric pad) and or any other method. 

33 4) On nceapL nf the mfmmfltirm the fiervice provider detgnminftg yhe flw^^iff BgnafflTf of ^Pr> gmrmriTig rtw* 

34 repcn and using known details about various hifarmation within that particular SPD decrypts the report and 

35 confirms that it has not been tampered witiL 

36 5) Any niethodinay be used to coUeapaymem for any amounts payable as a result^ 

37 anyotherreasoQ. 

38 6) The service proWderpsvpares a one tinie code using any rnethod and apparams^ 

39 by the target SPD and is usually specific to a particular SFD. 
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1 7)Thfi(mednie<x)(teistiBnsfcncdtotheuserof ihcSPDandc^^ 

2 enxff is gcnaatedihe user may be advised- Tlic purpose 

3 SPD that a correctly encoded report was received by the service provider and thai ftmher use of PSOs may proceed. 

4 Other inf(miiati<Hi,c.g.crcdii may be iiicliuW with said CM Hie normal process prrferably provides a 

5 reponandensuiecQDtizmediiseof PSOs prior u> the expiry date of the cunemperi^ 
6 

7 Wih the exception of the periodic updating of imenial credits and the rcparti^ 

8 appaims tf software prptection and distribution may be transparent to the user. As kng as paymentft atp mitrtr 

9 lequired the user would treat a PSO as they wonld my presently flv ftiinH ii^ i^fta,^ ^hjwi, 
10 

11 Tlic invention aUows feat a user may purchase a particular PSO for unluiih^ 

12 appaiams. including debiting the coa of the PSO from any available internal credit and seating a code such that 

13 there is no further billing for use of diis PSO. (me method allows for a file to be kept on a suitable mass sttnage 

14 device attached directly and or indireoly to the UCDPS (referenced as Exempt PSO Ric, or EPF) and this may store» 

15 usually in encrypted format (in pan or wholeX a vendor code and product code and a code thai is unique to a 

16 particulrar P(3=IJ for that particular product Said code is usuaUy created 

17 automatic when there is available credit in the PCPU and or may be supplied by tte service provider on rece^ rf 

18 paymem and or any other mediiod. When a PSO is loaded for execution, njutineswi 

19 file and determine ^ihcr or not a particular PSO that is norinaUydiarged on a^^ 

20 frcmt this process. C)ne alternative is for the service provider to credit any debits 
21 

22 A variation on the rnetbod and apparatus described eartieraUows for a certain group of prt^^ 

23 unlinuted basis for a period of time, for one fixed charge. Tto 

24 be used fixT $X per month, where X may be any amount. A periodic report is required to determine usage of the 

25 difBomgaines in order to J5)propriatdy pay the vendors of tiboa 

26 vendors may be made by the service provider using any agreed fonnular. This may use a special code within the 

27 PSO and or the CDF and or the EPF and cb- any other method. The invention allows that multiple software object 

28 groupings may use this variation and the amount charged for one groiy ing may he the samft mdnr rtifrprpnr t» 

29 groupings. 
30 

31 IlieinvemionaUows that part or aU of the processes that require the user to 

32 part or all of the invention fac any reason, may use any method and apparams xo prevent attempK r "H>tmg pyirt 

33 codes by trial and error and or any other method, with the prefieneds^^ 

34 routine(s)withhi secure internal memory that log in non-volatite storage i^ 

35 or all of this infonnation may be stored m one or multiple extenoal files, that may be directly and or indirectly 

36 attached to the UCDPS. The inventioa aUows fe any action to be taken induding. disabUng the PSO and cr 

37 muldple PSOs and <v the PCPU and or all processing capability, and this may be done using any method and 

38 Qiparatss. 
39 
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1 Ibe invention allows that a user ^o has purchased in pan or whole one or multiple PSOs and or earned frequency 

2 discounts on one or nniltiple PSOs and or any other reason, may wish to pen these to another SFD for any reason, 

3 inchiding thai the user has purchased a new machine and or because the user wishes to sell part or all of any interesi 

4 in one or znuldpie PSOs to another user. The invention also allows that one or multiple PSOs may not aSa this 

5 fodlity. Tbe invention allows that there are multiple known meduxls and aj^paianis for achieving this includmg, the 

6 prefeoed option thm may involve the following inetfaod steps: 

7 1) the user activates a program to reveise various capabilities granted to a particular SPD, for example activation 

8 codes and or discoum schedules. This would usually initiate a menu type screen on die display device; using die 

9 method previously described, of the UCDPS to assist die process. 

10 2) the user nominates those PSOs dmt are to have pan or aU rights of use transferred to anodier 

11 3) die program may change various internal locations and may change various external locations such thqt «igring 

12 rights are no longer valid on tbe SPD. 

13 4) encrypted information is supplied to the service provider indicating that various access rights to one or multiple 

14 PSOs have been modified, and the encrypted information (using any method and aj^taratus) is decrypted and 

15 verified for validity, using any mediod and or apparanis. 

16 5) the user usually informs the service provider of die new SFD that various access rights are to be transferred to. 

17 This may be multiple SPDs. 

18 6) any codes and or discoums and or new versions of encrypted PSOs are prepared for die TT(fflitimtp<i psOs and 

19 supplied accordingly. 
20 

21 User Password: 

22 Certain information is preprogrammed into the PCFU prior to being nutde available to a user and of this may 

23 restrict die user of diat particular PCPU from various functions avail^le widiin die PCPU and cf available in 

24 various information supplied by a service provider. An example may lo restrict users of a particular country from 

25 various services. The inventicm allows that some of these restrictiozs may l>e reprogrammable with infonnaticm 

26 supphedby the service provider while (Xherinfonnation may be faed A user <^ a ^ 

27 may have various restrictions diat diey want placed m die use of die PCPU and diese would normally be 

28 programmable by the user, and these may included any approved functions, using any known mediod. A user may 

29 warn a master password for diemsehres and diis would usually be stored widiin non-volatile storage elements d 

30 system niemory, and die Goriea entry of dusnoay be required to activate die PCPU (i^ 

31 widiin may be disabled). Additional passwords may also be required that allow ytrmtM\ access to the PCPU, fa- 

32 example, oenain passwords may be attached to children to prevent them from using unsuitable software, or cenain 

33 employees may be prevented from {daying games on their computers during business hours. Cenain functions may 

34 also be attached to various passwords, e.g. to monitor usage. 
35 

36 Any program and or data that is preprogrammed into a PCFU may in pan or whole be the same as those wititin 

37 ocber PCPUs and or may in pan or whole be uniqne to other PCPUs. Any program that is currendy within secure 

38 meuioty may call on any cmrentiy external programs and or data and or apparamg ta Bssist t,h^. fimrrirmg uny 

39 pn^gram. 
40 
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1 PintBCtion of nthw frcTTM of mfommrinn' 

2 The present invention also allows for the inclusion of part or all of the method and apparatus described in this 

3 qjplication when used in canjunciion (in any manner) with any secure {^^params (that may be (Bie or multiple 

4 devices) for Qse in: 

5 the secure decoding of encrypted Cm part or wbdit) video information and or any other eoaypted (in pan or whole) 

6 visual information, and or the secure generation of the necessary signals to display the decoded infoimatian oc a 

7 suitable visual ouqmt device, with said necessary signals nefetabW consonined within a secure \r^\rm within ^^t^ 

8 visual ou^ device and or 

9 the secure decoding of encrypted (in part cr whole) sound mformaiian and or the secure ggfltkm frm rhia /V^f^ 

10 information of the necessary signals to drive a loudspeaker (and or equivalent), with said necessary signals 

11 preferably constrained within said loizdspeato (or equivalent) and or 

12 the secure decoding of encrypted (in part or w^le) text as inay be the case wit^ 

13 (and or any other printed matter of commerdal value that is published i^ 

14 of the necessary signals to di^lay the decoded informatioD on a suitable visual output device; 

1 5 this particularly applies when said secure apparatus securely monitors and or logs (dirccdy and or indirectly) the use 

16 of the encrypted information as it is decoded and used within said secure apparatus, and or 

17 that inchides (directly and or indirectly) one or multiple methods and apparams m ensure payment is for said 

18 use. 

19 Any combination of software and or hardware and or microcode may be used to implement the method and 

20 apparatus, with the p i tfa ie d method and apparatus: 

21 retrievtiig pricing mfoimation from the encrypted hifoimation; and or 

22 thntog the use (and or counting the frequency of nse^ of said encryptflrf mfr mmrin n- mA nr 

23 stcning this within the secure qjpanims (thm may mchide sec^ 

24 volatile storage elements; and or 

25 debiting an anioum of electrcmicfimds previously enibeddedwit^ 

26 r60(Hdmgananioamtochargeatafumredate;andor 

27 generating a rqwri of usage (preferably with a breakdown for each vendor and or product) that is supplied to the 

28 information provider (and or agent); and or a 

29 system to ensure that said report of usage has been received by the rdevant parties; aod or 

30 thai may disable part or aU of its capabiUdes in the evem that electronic 

31 exceeded and or a repon is not provided to the ndevam parties and or that periodic info^^ 

32 said relevant parties; and or 

33 that noay be updated widi additional electronic fhnds and or any previo^ The 

34 encrypted mformation nay be supplied on any nmdiine readable physical m^ 

35 teoadcastusoig any method. 
36 

37 When an external PSO requires to access the SFD. the normal process is to: 

38 a} blockintermptsif required and write ft command to the gyfitem cftrrmmn^ mpiif jwt n ^gMgriTig ^ 

39 b) the process d writing to the prat preferably generates an imcrropi so there is a rapid response frcan the secure 

40 niksoprocessa. otherwise diere may be a dday while it is polled. 
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1 c) the secure micniprocessOT writes to the system com^ 

2 xesouroes and another vahie if there are resources, togaher with the address and size d a user command input and 

3 output pan and a user dam input and output port It clears the vahie written by the system microprocessor into the 

4 system command input port. 

5 d) the PSO reads the infcrmatiGn from the system conmiand output port and react^^ 

6 e) if resources are cuxrouty unavailable to the PSO it may enter any known delay routine and try again later. Ibe 

7 opdon exists for it to branch to a routine to advise the user that the multitasking capability of the UCDPS is currtmly 

8 fully extended. 

9 f) if granted access it saves the ^ypropnate user port infcnmadon in an accessible locaticBi and may read and write to 

10 these pens as required. Tbm is no i»ed to disable inteirupts y/tosa accessing the user parts allocated to it There is 

11 norequireinemtomodify the task switdxing routines of the UCI)PS operating systm 

12 g) if the SPD has granted a PSO access to the SFD then it preferably stores relevant infomiation about the PSO user 

13 partitkm in a kiU)wnlocatim in the system partition, usuaUy with inforina^ 

14 h) the SFD waits until the PSO starts writing informaticHi to its user data input port, this may be triggered by an 

15 internet or polling of locations and or any other metlKNi. 

16 i) the SFD transfers the infonnation into the allocated secure user panidon. This may be done via the user data ix^mt 

17 port and via I^rect Memory Access CDMA) or by direct progranmed I/O by die secure microprocessor and or 

18 any other method permitted by a particular embodhnent of the invemi(Rx . 

19 j)PSOsusuaUy include various inforaiation to assist the SPD in addition to various 

20 infonnaiion. 

21 k) various system functions are activated to decrypt and validate vitoe appropriate and extract other informaiion 

22 relevamtotbePSO. 

23 m) the PSO may be detennined to be a valid System Swppm Object diat is reqmred to be loaded into the secure 

24 system partition to addresses detennined by any method. The system Support Object may include data azul 

25 commands as to what son of proces^g is required and cr it may contain executable mstmctions. in wtnch case ihe 

26 secure microprocessor will be directed to execute this progranL 
27 

28 This is usually granted if the SFD cuxremly has sufficient resources. Tliis would normally be the case in a single 

29 taskmgsystenuhowever^ in a multitasking environment, an PSO inayiieed to wait Sak^ 
30 

31 
32 
33 
34 
35 
36 
37 
38 
39 
40 
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1 Tlie claims defining the invention are as foUows: 

2 1. A methcxi of disnlbuting software objects from a proc^^ 
3 

4 equipping a user c on t ro ll e d data processing system with a secret processing device, and said user connoUed data 

5 processing system equq^ with said secret processing device is rcfcned to as a PUCDPS, whmm said secret 

6 pn)ccssiAgdeviccof said PUOJPS may be configured lobe depcndem in part or w^^ 

7 PUCDPS for pan or all of the time, to one or multiple remote conQjuters and or any other data processing devices, 

8 however, part <ff all of said secret proccssmg device may operate and or be configured to operate in a stand alone 

9 PUCDPS and may remam operational extended periods after said PUC^ 

10 (me or multiple dmes. and Iff moved to differem locations, and or re^ 

1 1 that would nonnally dismpt processing on said PUCDPS; 
12 

13 providing one or multiple service providers, with part at least of secret 

14 processing device thm is required to provide part a least of the sc^^ 

15 ^toein said service providers are the agents of said producer, 
16 

17 providing a software object; 
18 

19 modifving part or all of said software object mcfa that it w fimrtirwip^^y limirrrt to rpquire said PUCDPS for conca 

20 processing (m this claim execution and process and processing are interchangeable and refer to execution rf 

21 instructions and or processing of data) and the functional limitation may be Oscar conqwuible and or may be 

22 Groover compatible and or may use any cncryptioi method aWe to be reversed in said secret processing device. 

23 figthermore, said functional limitadon may be of one or multiple essential parts of the software objea such that it is 

24 iw/ pracfica/ to regenerate the original software object ftom any parts to 

25 particular functianallyUniited software <A>jeatltt ft 

26 specific said secret processing device with unique characteristics necessary \o reverse the fimctional Ihniiation, a 

27 the fimctional liniiiationniay be reversed in part or whole on a phiniHty of said s^ 

28 common duoxteristicsriecessary to reverse the fimctional liinitation; and or 

29 tiKJdifyii^ part or aU of said software object, using any inediodL 

30 pan or whole, using any inethod, to any aieo'rnuMpIe conditions (tf use, diatm^ 

31 tamper with and said conditions of use may include any code that idemifiea the pmducgrnf sairi snfmrnm niyrt ^ 

32 or identifies said scrftwarc objea in any way, sudi that ^(to said secret p^ 

33 aUrf said fimctional limitation, said secret processing device inay record use of said 

34 of software objects of a particular producer and or any other record that in part <ff whole is used in determining 

35 remuneration to the producer and or any other parries and nr aaid ftfmditions ftf 'twIb^ct any rodf r^f ft^g 

36 inforination viuch may be used by the SPD to determine if said software object: 

37 is permitted to execute and <k process in part or whole on a units of time used basis, and may inchide what fee 

38 dKmld be eppiM fiff the use of said software objea and said fee may be any unit (tf ^p^fl s^irffm ff Pt and is 

39 prefaably a generic units of use basis and said generic uniis may be attributed any real currency vahic at any 

40 stage; andor 
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1 is pexinitted to execute and orprocess in pan oriole (A an evc^ 

2 times one or multiple pans of said software object am loaded and or executed and or any cOm measurable 

3 events basis, and nmy include what fee should be appUed for the tise<^ said soft^^ 

4 any unit of measurement and is preferably a generic units of use basis and said generic units may be attributed 

5 any real currency value at any stage; and or 

6 is permitted to execute and cr process on an unl imired basis subject to a fee, and may include what fee should 

7 be ^lied for the use of said software objea and said fee may be any unit <^ measurement and is preferably a 

8 generic units of use basis arul said generic units may be attributed any real currency value at any stage; and cr 

9 is permitted to execute and or process on any type of limited basis subject to a fee. and may include vfhai £» 

10 should be applied for the use of said software objea and said &e may be any unit of measurement and is 

11 preferably a generic units of use basis and said generic units may be attributed any real currency value at any 

12 stage; and or 

13 reqniresentryofone(ffrnuMpledatakeysofanytypepria:toinitiatinguseof^ 

14 for the first and or any other time on a particular said secret processing device and may include whether or not a 

15 feeistobediarged; andOT 

1 6 requires any other restrictions of any type to be placed on use of said software object ; and 

17 any said software objea rnodifiedm pan or ^H^u^ as described is referred 
18 

19 providing one or multiple protected software c^jea onto computer-accessible memory media and or any suitable 

20 apparams for elecmxiically transferring said protected software bbjea to a potential user, and preferably the 

21 conditions of use attached to said one or iimlt^ protected software <A)jea permit said protected software objea to 

22 be used on a time used basis in a FUOPS with a secret panocessing device that has sufficient quantity of one cr 

23 multiple said unit of measuiemem stored within and or securely accessible; 
24 

25 shipping said one or nmltiple said protected software objea on said computer-accessible memory media to a 

26 potential user and or said eleorDtucaUy transferring said one (B'multipte protect 
27 

28 

29 loading said (Bse or multiple said protected software dbj/KX into said FUCDPS and executing as permitted by said 

30 conditions of use; 
31 

32 wiierereqiiiredby said oonditicms of use, a user Mendlyrxientt system aid or any otto 

33 tt>: 

34 request the supply of one or multiple said unit of measurement that may be required by the said secret 

35 processing device for any purpose, and or 

36 receive one or nmltiple said unit of measurement, preferably m suitably encrypted fonnai, that may use any 

37 method, and transfer said unit of measuremem into the said secret p roce ssin g device, and or accessible to the 

38 secret processing device, and or 

39 request the supply of one or rnultipledatakeysthattnaybeTequired by the said secrapr^^ 
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1 receive one or nmltiplc dam keys and transfer said dam keys imo the said seaei procesing device, and or 

2 accessible to said secret processing device , using any method, and or 

3 geoezme one or multiple iqxms of software usage and or any ahcr infonnation flmt may be required, and 

4 siqjply said repom to said sendee provider and or any other cxtcni^ 

5 receive one or multiple codes oonfiraung that said report has been received and supply said one or multiple 

6 codes confinning imo said secret processing device and or accessible to said secret processing device, and or 

7 request the service provider and or any other authorised party for one or multiide codes that may be used to 

8 reactivatepartOTaU of saidsecretproccssing device ihmnury have been disa^ 

9 receive one or nmltiple codes to reactivate pan or aU of said secret process that may have been 

10 disabled for any reason and transfer said codes into said secret processing device, and or accessible to said 

11 secret processing device, and or 

12 for any erf the preceding, the infonnation generated by said PUa)PSa^ 

13 preferably transferred dectnmicaUy, however, any other combination of ra^^ 

14 computer-accessible inemory media containing the ixiformation. 
15 

16 2.AnieihodofdistnTmtingsoftwareobjecisaccordingtoC^ 
17 

18 securely decrypt and execute Cm this claim execmion and process an^ 

19 cxccuticm of instnictiras and or processing of data) and or process ina^ 

20 data;andor 
21 

22 securely decrypt and execute and or process instructions and or securely dec^ 

23 pm or aU of the requirements of reversing fractional linritationsi^^ 
24 

25 reverse any fimctional limitations applied that are said Qn)Qvercomi^ 
26 

27 reverse part or aU any fimctionallinuations flying to said protected softwTO 
28 

29 may decide to reverse one or nmltiple said functional Umitatioos zppliltd to one w multiple said protected softwae 

30 objects, based entile said conditions of use said securdy linked to said pn 

31 is an antanomoosdedrion, based in part at least, on secure processmg of infamia^ 

32 secret processing device, and tiMt as long as said tiie requirements of one or nml^ 

33 and or said secret processing device are c(mipiiedwitii,tiieu» 

34 (me or multiple said protected software objea on tiie same basis as if ttiey WW 
35 

36 transfer into said secret processing device and or have transferred arty part <rf^ 

37 be necessary to jBovide any of tile ftmctions required by said protected software 0^ 
38 

39 access any farfonnationtiiai may be located cmnal to said secret proce^ 

40 functions required by said protected software object; and or 
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1 

2 exanxine said ccniditioas of use said secoiely linked 
3 

4 d^emuzieaTtspcmsetosaidcondidcmsof use;andor 
5 

6 respcmd to said conditions of use; and or 
7 

8 provide (Kie or multiple area of secure mexnory that is not pracdcal to analyse; and or 
9 

10 provide for partidon of secure memory into one or multiple secure system partitions and one or muluple user 

11 partitions v^toeby programs in said system partitions may access said user pardtions, however^ said user parddon 

12 may nm access said system partidan unless a adKni sed, and or any particular said user partition may not access any 

13 other said user partition unless audKxrised; and or 
14 

15 may transfer part or all any (Bie or multiple said protected software 6t>jea and or any other software objects bcm 

16 unsecure to said secure locations for processing and or transfer any information from said secure location to said 

17 unsecure location; and CB* 
18 

19 may securely decrypt pan or all of decrypted parts of said protected software object and or any odier encrypted 

20 information within said secure locations; and or 
21 

22 may process pan or all of one or multiple said isotected sc^tware objea in secrecy, including processing of pan a 

23 aUof that information loaded in encrypted fonnai and decrypted; and or 
24 

2S havetheopotytodaeawhetberpanoraUofsaidprotectedsoftwareobjeahave^^^ 
26 

27 handle the requirements of a large number of cfifEncnt protected software objects that it has not been specificaUy 

28 preconfigored for while in unsecure locations; and or 
29 

30 may pezfonn secret encryption and or secret decryption in a manner diat cannot be analysed, and this may be a 

31 software and or hardware function; and or 
32 

33 have the capacity to implement m pan or v^le. one or muhxple hardware devices in pro g r amm able logic and 

34 preferably progr am m a ble logic diat may be rqMy erased m the event of tan^Dciing, and this includes encryption 

35 and or decryption functions nnplexnented in pan or whole in hardware, and hardware functions hnplemeoted in 

36 programmable togic may be dynamicaUy programmed by one or xnultipie protect^ 
37 

38 may use any method to detemiine dxat toe is an attempt to gain access to secret infmmation widun itself, aisd said 

39 anempt may be phy^cal and or logical analysis, and the response may be any action, using any mediod, indudnig 
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1 disabling, tcmporaray and or pcrmancnUy^pm or aUo^ 

2 information that may be stored within secure memory storage devices; and or 
3 

4 may securely store information in encrypted and or clear code foraiai in locaiions maccessiblc to unauthorised 

5 parties and or securely stoe information in encrypted fonnai in locations that may be accessible to unauthorised 

6 parties, and may detect tampering with susced information; and or 
7 

8 may have the capacity to securdyinomtor the usage of said protected soft^ 
9 

10 may be loaded with information thai is any one or nniltiple units of u^ 

1 1 stored within said secret processing device and or securely in accessible external locations and said units erf use may 

12 be used to ofEset against use of one or nmltiide said protected soft^ 

13 of use, said units of use may be adjusted in any way as they are used and may be used to credit various said 

14 producer and or said protected software objects and or any other met^ 

15 indirectly Repayments that are due to various producers and any other interest 
16 

17 may securely record the usage of said protected software objea and thereof 

18 the usage on a producer and or produa or any other basis, and said recOTd in pan or 
19 

20 request and or ccHnpel the user of said PUCDPS to provide any necessary r^^ 

21 and or to any other location; and or 
22 

23 confirm that said rqxms that have been received as required; and or 
24 

25 not require tnodificatian of the PUCDPS operating system; and or 
26 

27 not require special nwtines to intercepi calls to said system q)enuingsystein;^ 
28 

29 idemify the type of said pn>tected software object and act as required; ardor 
30 

31 provide or have access to one or multiple tampei piuo f, non-^olfltile marcR ttf timft atrrt nr riatp; anri ^ 
32 

33 provide or have access to one multiple taniperproof timers; aixl or 
34 

35 provide one or imiltiplcniethod of identifymg a particular 

36 electronic signature; and or 
37 

38 igQvide one crnmh^gecra codes and or progBiitt that are un^ 
39 

are common across particular groups; and or 

40 
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1 provide one or muMpie programs, that may be preprogrammed and or transfened as required thai use secret 

2 information unique to said secret processing device; and or 
3 

4 process multiple said protected software object in a muldtasldng emoronment and this may be transparent to said 

5 User Controlled Data Processing System; and or 
6 

7 include functions, preferably implemented in reprogrammable secure tnemory, that may be edited and or modified 

8 and or deleted and or expanded and or in any other way changed, in a secure manner and usuaUyt 

9 user d said PUG^PS, enabling exten:iaily supplied and £q[ipiDpriaiely configured said protected software 6b}KX to 

10 adapt the secure processes available to said PUCDPS and create one or nmldple^Hcadc^ 

11 to said PUCDPS and or &at pennits any current application to be dynamically adapted, and said adapt inchides 

12 dynamically reprogramming various hardware fimctions inq)lemented in part or whole with reprogrammable logic 

13 connections and or dyiiamicaUyinocfifying decryption processes; and or 
14 

15 are programs and or data preprogrammed into the device and cr transferred in encrypted format and or in clear code 

16 that assist any other function that includes the processing of said protected sofh^ 
17 

18 inchide secure memory that stores various internal system routines and may be loaded with externally supplied 

19 objects for decryption and or execution and or any other purpose; and or 
20 

21 may partirinn ReQire Tngmmy thnf fnmis part nf gaid spfim ^n(i prOCfSSing ffystfin ITttft ffPTnTP SyStfin mfmory 

22 azid secure user memory, wherein prograins within system meoKxy may access those in tiw 

23 iHograms may not access system memory oo an unauthorised basis, furthermore, said user memory may be fimher 

24 partidoned iiuo nmltiple user partitions, wherem each user partition cannot affect information within other user 

25 partitions. 
26 

27 3. A method of distributing software objects according to Qaim 1, v^ierein said not practical may be interpreted as 

28 multiple levels of difficulty d^ieoding on the requirements and may be too difficult: 

29 for a normal user, 

30 with disassembly of said parts thai are not functionally limited. 

31 with attempts at characterising encrypted iiifonnaticm hi the hope of breaking e^ 

32 with anenqns at destroyixig the package to view the hsfonnationwitiiin. 
33 

34 4. A method of distributing software objects according to Qaiml, vlterein said Oscar oonqsatible is any functional 

35 limirwinn of part or all of a software dbjea by any method of encryption, usually at a secure location remote to the 

36 user, where pan or all of the reversal of the encrypced information, by decryption and or any other method, occurs 

37 within a secure environmem directly and or indirecdy attached to a user ooonolled data pr oces sin g system such that 

38 part or all of the mstructions and or data of the software objea reconstimted by said revenal are not accessible to 

39 analysis by any mimithmiw< party and the execution of part or aU of said instructions and or the processing (usmg 

40 any method) of part or all of said data that is not acoessiUe to analysis by an unauthorised party remains in part or 
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1 whole inaccessible to analysis by any unauthOT^ 

2 placed on a software objea is na compromised by Uie process 
3 

4 5. A metbod of distributing software objects aocoiding to Claim 1, ^^^icrcin said Qroovci conq)atiblc is any 

5 functional linuiaricmofpan or aUrf a software objca by deletion 

6 <*jcct.usuaUyai a secure location lOTOlc to the nscr, where pa^ 

7 method, occurs withm a secure cnvironmem directly and or indirecdv attached to a UCDPS mrh thi^t p^n or all rf 

8 the instructions and or data the software objea reconstituted by said rcv^ 

9 tmmi Thor ised party and the execution of pan or all of said instructions and g the processing (usmg aiy mediod) rf 

10 panaaUofsaiddatathatisnot accessible to analysis by an unauthorised parry remains in part or w^Krfe 

11 inaccessible to analysis by any unauthorised paity.T^ 

12 on a software objea is not compromised by the process of using said software object 
13 

14 6. A method of distributing software objects according to Qaim 2, wherein said determine a response to said 

15 conditions may be based on a phiraHty of infomiation states within and 

16 inchiding the availability of one or multiple said units of measurcmem to ofEset against any requirements in said 

17 conditiOTS ofusc, ^JIHcpriaic entry (rf any data key, compliance with rcpc^^ 

18 conditions <rf use supplied with said iffotecied software (Ejects aga^ 

19 processing device. 
20 

21 7. An QparamsfOT distributing sQftwarc objects, refiercnced a sec^ 

22 inregratcd into ttie same integrated drcuiiC and OT directly and (ffi^ 

23 said tt« oomroUed data processing sysictn, and preferably does not inte^^ 

24 system micropnx«sscr, the secret processing device may also fbm 

25 microprocesscr, part or aU of said secret processing device may be integrated tmo any one or multiple devices 

26 external to said system inicroproccssor and attached directly and or indirecti^ 

27 system; 

28 

29 said secret processing device hichides one or multiple secure nriODi^^ 

30 niemorysifflage devices, that niay be any type and mix, and may incUi^ 

31 other functions as described, wherein said secret processing device may: 
32 

33 securdy decrypt and execute and or process instnictiOTs and or securely decry^ 
34 

35 secnrclydecrypiandexecQteandorprocessinstrttctionsandflrsecurelydeaypia^ 

36 pan or aU of the lequirenKnts of reversing fimctionalliniitations^^ 
37 

38 reverse any ftmcticmal limitations qiplied that are said Qio^^ 
39 

40 reverse part tgaU any factional linodtations applying to said protmai snffamrg niyrt^ an^ nr 
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1 

2 may decide to teveise one or multiple said fimoiannl Umitanaas ^lied to coe or multiple said protected sc^tware 

3 cbjects, based on the said cooditicBis of use said securdyliiikedt^ 

4 is an mnnnnmoas decision, based in pan at least, on secure processing of infamatitm imemal and or external to said 

5 secret processing device, and that as Img as said the requirements of (sie ch- multiple said protected software objects 

6 andcff said secret processing device are ooropUed with, the user of a said user oonmdled data proce is 

7 able to execute and or process one or multiple said protected software objea on the same basis as if ihey were said 

8 software object; and or 
9 

10 have the capacity to im^dement in pan or whole, one or multiple hardware devices in p rr> ^ rfln?i m* hif logic and 

11 preferably programmable logic that may be rs^y erased in the event c£ tampering, and this incfaides eocrypdon 

12 and or decryption functions implemented in pan or whole in hard war e, and hard w are functions implcmeiued in 

13 programmable logic may be dynamically programmed by one or multiple protected software object; and cr 
14 

15 transfer into itself and or has transferred any pan of one or multiple information thai may be necessary to provide 

16 any of the functicms required by said protected software object; and cs 
17 

18 access any information that may be located external to said secret processing device in oniei to provide any of the 

19 functions required by said protected software object; and or 
20 

21 exainme the said condition of use said securdy linked to said protected software obj^ 
22 

23 detemnne a response to said OKxlitions of use; and or 
24 

25 respond to said conditions of use; and cr 
26 

27 provide me or multiple area of secure tnexnory that is not practical to analyse; and or 
28 

29 provide for partition of secure memoiy into one or multiple secure system partitions and one or multiple user 

30 panitions v/tmlby piogiams in said system partitions may access said user partitions, however, said user partition 

31 may ix3t access said system partition unless authorised, and or any panicular said user partition may not access any 

32 otiter said user partition unless autiurised; and or 
33 

34 may transfer pan or all any one or multiple said protected software objea and or any oHha software objects from 

35 i m sccu re to said secure locations far prooessixtg aixl or transfer any mformation from said secure location to said 

36 tmsecnre location; and or 
37 

38 nay securely deoypt pan or all of <ieciypted pans of said protected software objea and cr any other eraypted 

39 tnfonsatiin within said secure locaiicas; and or 
40 
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1 may process pari or all of one or multiple said protected software objea in secrecy, ir^rln^^ing processing of pari <r 

2 all of that informatiosi loaded in enoypted fcmnat and decrypted; and or 
3 

4 have the capadty CO doca whether part or aU(rf said protected softwa^ 
5 

6 may perform secret encryptira and or secret decrypiicn in a manner that cannot be analysed, and this may be a 

7 software and or hardware function; and or 
8 

9 have the c^ity to nnp l ement in pan or whole, one or multiple hardware devices in progrmmnaWe logic and 

10 preferably programmable logic that may be rapidly erased in the event of tampering, and this includes encryption 

11 and or decryptim functions implemented in part or whole m hardware, and hardware functions in?)lemcmcd in 

12 progiMunable logic may be dynamically progrannned by erne or multiple protected sofhrare nty^ nr 
13 

14 may use any niethod to determine thai ihere is an attempt to gain access to s^ 

15 mremp t may be lAysical and or logical analysis, and the response may be any acticm, using any method, including 

16 disabling, temporarily aiKi or permanently, pan or all <rf itself and ot invalidating in any way pan cr all of the secret 

17 information that may be stored within secure memory storage devices; aiul or 
18 

19 nay securely store information m encrypied and or clear code format m locations inaccessible to img^ifhiyrisffj 

20 parties and or securely store informaiion in encrypied fcraai in locations that may be accessible to mianthr>risfd 

21 parties, and may detea tampering with stored infnmation; and or 
22 

23 may have the capadty to securdynxomtor the usage of said protected software object 
24 

25 may be loaded with mformation that is any one multiple units of use, in any secure format, that may be securely 

26 stored witiiin said seem processing device and or securely in accessible cxteanalloc^ 

27 be used to ofifeet against use of one or niult^jle said protected software objects as dete^ 

28 of use, said units d use may be adjusted in any way as tey are used and may be used to oecfit various said 

29 producer and or said protected softsvare <Ajects and or any other method that can be used to reconl directly and cr 

30 indirectly the payineolstiiat are due to various producers and any other interested 
31 

32 may securely record the usage of said protected software object and the recorri may mciurift a iwnm* ^ wgiV/irw im rf 

33 the usage on a producer and or produa or any otiicr basis, and said record in pan OT whole i^ 
34 

35 request and cr compel the user of said user comn^ed data processing system to provide any necessary icpons d 

36 usage to smd service provider and or u> any other location; and a 
37 

38 confinn thai said reports that hove been received as required; and or 
39 

40 not require modification of the FUCDPS operating system; and or 
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1 

2 not require special routines to imercepi calls to said system opeming system; and or 
3 

4 idemif y the type of said protected software obj ect and ac t as required; and or 
5 

6 provide or bave access to one <r muit^le tanipeqsioof, non*volatiie source 
7 

8 provide or have access to one or multiple t ampapio of timers; and or 
9 

10 provide one or multiple method of identifying a particular tamperproof environment that may include the use cf an 

1 1 electronic signature; and or 
12 

13 provide one or muldple secret codes and or programs that are unique to a particular secure environment axKl or that 

14 are common across particular groups; and or 
15 

16 provide one or multiple programs, that may be preprogramnoed and or transferred as required that use secret 

17 information unique to said secret processing device; and a 
18 

19 process multipie said protected software objea in a muldtasldng environment and this may be transparent to said 

20 User Controlled Data Processing System; and or 
21 

22 include functions, preferably implemented in lepi o giamm able secure memory, that may be edited and (h* modified 

23 and or deleted and or expanded and or in any other way changed, in a secure inanner and usu^ 

24 userofsaidPUO^PS, enabling externaUysup(^ and approiviatdy configured 

25 adapt the secure processes available to said PUCDPS and create one or multiple appUcatim 

26 tosaidPUCDPS and or that pennits any current application to be dynamicaUy adapted, and said adq>t im^ 

27 dynamically l e ta o giamm ing various hardware functions iiiq)lemented in part whole with re pr o gramm able logic 

28 ccnnecdons and or dynamically modifying decryption processes; and or 
29 

30 are programs arid or data preprognmmied into the device and or transfened in encrypt 

31 that assist any other fnnctian that indudes the processing of said protected software obj^ 
32 

33 niclude secure memory that st<Kes various internal system routines and may be loaded with externally sui^lied 

34 objects for decryption and or execution and or any otha purpose. 
35 

36 8. A method of distributing software objects aooording to Claim 7* wherein said determine a response to said 

37 oonditionsmay be based on a plurality of iiiforniation states withm and or external to said secret proce^ 

38 inchiriing the availability d one or nmMple said units of meamrement to of&et against any requirements in said 

39 coQcfitions of tise, appiopiiate emry of any data key, enmp iigncft with repenting requirements, validation of said 
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1 conditions of use sapplied with said protected scftwaze objects against qrpropriate values stored within said secret 

2 processing device. 
3 

4 

5 9. An a^iaiatus for distributing software objects according to Oaim 7, wherein said Oscar compatible is any 

6 funcdonal limitation of pan or all <rf a software objea by any method of encryption, usuaUy at a secuxe location 

7 remote to the user, where pan cr aU of the reversal of the encrypted information, by deciyptiai and or any other 

8 method, occurs within a secure environment directiy and or indirectly attached to a nser ocmitniiflrt rfnt ft jrorgsing 

9 systcmsuchthatpanoraDoftheinstructioDsandardaiaofthesoftware<*je^ 

10 accessible to analysis by any unauthorised parq^ and the execution of pan or all of said instnictioos and or the 

11 processmg (using any method) of pan or aU of s^d data ihm is not accessible to 

12 remains in pan cr ^vMt ina cc es s ib le to analysis by any unauthorised party. Ihc result is that pan at least of fee 

13 fh n cyi nn al limitation placed oo a software object is not compromised by the process of using said software object 
14 

15 

16 10. An apparatus for distributing software objects according to Oaim 7, wherein said Groover compatible is any 

17 functicmal limitation of pan or aU of a scrftware object by dd 

18 (Aject, usually at a secure location remote to the user, where pan or aU of the reversal of the deletion, by any other 

19 method, occurs within a secure environment directly and or indiroctiy attached to user comrDlIed data procesamg 

20 system such that pan or all of the insiractions and or data of the software objea rcconstimted by 

21 not accessible to analysis by any u nautiio ri scd pai^ and the execution of pan or aU of said insimctions and or the 

22 processing (using any nwtbod) erf pan or an of said dam that is nwacccssiWc to 

23 remains in pan or wrtiole inaccessible to analy^ by any unauthorised party. The result Is that pan at least of flie 

24 functional linutatioo placed oo a software objea is not conqirom^ 
25 

26 11^ ^^wrams for distributing software objects acccHtiing to Oaim 7.1^^ 

27 software bbjea that has been revcrablyfimctionaUy limited to be reverse 

28 said secret processing device. 
29 

30 12 An apparatus ftir distributing software objects acconling to Oaim 7. wfa 

31 plniahty of conditi(ms securely linked to said protected software ob^ 

32 secret processing device and used to determine ^itether to reverse &e said functional Ihnitations api^ied to CHie v 

33 multiple said protected software object 
34 

35 13 A method of seouely protecting and distributing software objects substantially as heiinbefore described with 

36 lefocnoe to the drawings. 
37 

38 14. An apparanis for distributing software objects substantially as herinbefmc described with reference to the 

39 drawings. 
40 
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1 IS. llie steps, featmcs,composiUons ami oompouods disclosed ho^ 

2 andAsr claims of Has aj^tication. individually or collectively, and any and all combinations of any two or more of 

3 said steps or feannes. 
4 

5 

6 

7 

8 

9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 
29 
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33 
34 
35 
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37 
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39 
40 
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